Closed GuillaumeDesforges closed 4 years ago
The spring-boot-starter doesn't configure anything with security.
You mention that you include spring-security in your pom. The default behavior of that starter is to enable it. And you explicitly exclude the security autoconfiguration in your SpringBootApplication
class. Why did you add Spring Security to your project in the first place then if you don't want to use it?
I want to use it, I already have some security set up on another branch in my project but I am trying to make things work incrementally and isolate the issue.
Could spring-boot-starter start something like a servelet that could prioritize on my application and use the autoconfiguration of spring-security ?
It adds a servlet for receiving graphql requests, yes. But again: this library doesn't configure anything regarding security. It doesn't even have a dependency on Spring Security. The default behavior of Spring Security is that it enables itself. So by the looks of it both graphql-spring-boot-starter and the Spring Security Starter are doing exactly what you'd expect them to do.
If you don't want to use Spring Security yet, then just remove the dependency for now or permitAll(), but I don't see any problem with this library related to this.
When I setup the GraphQL servlet manually using graphql-java-servlet
, the security issue does not happen. I suspect Spring is going weird automatic stuff behind the curtains when I add the complete starter. Anyway, thank you for your replies.
Closing this issue since behavior looks correct to me.
Adding
to pom.xml (without any other configuration) to an existing
@SpringBootApplication
using Security makes the application require Basic Auth on all endpoints.My SpringBootApplication excludes the default security:
And an override of
WebSecurityConfigurerAdapter
with the following:also setting
in application.yml
Does not work