Adding graphql-spring-boot-starter to pom.xml makes all endpoints ask for Basic Auth

graphql-java-kickstart / graphql-spring-boot

GraphQL and GraphiQL Spring Framework Boot Starters - Forked from oembedler/graphql-spring-boot due to inactivity.

https://www.graphql-java-kickstart.com/spring-boot/

MIT License

1.5k stars 326 forks source link

Adding graphql-spring-boot-starter to pom.xml makes all endpoints ask for Basic Auth #387

Closed GuillaumeDesforges closed 4 years ago

GuillaumeDesforges commented 4 years ago

Adding

<dependency>
    <groupId>com.graphql-java-kickstart</groupId>
    <artifactId>graphql-spring-boot-starter</artifactId>
    <version>7.0.1</version>
</dependency>

to pom.xml (without any other configuration) to an existing @SpringBootApplication using Security makes the application require Basic Auth on all endpoints.

My SpringBootApplication excludes the default security:

@SpringBootApplication(
        exclude = org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class,
        scanBasePackages = "noscan")

And an override of WebSecurityConfigurerAdapter with the following:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }

also setting

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

in application.yml

Does not work

oliemansm commented 4 years ago

The spring-boot-starter doesn't configure anything with security.

You mention that you include spring-security in your pom. The default behavior of that starter is to enable it. And you explicitly exclude the security autoconfiguration in your SpringBootApplication class. Why did you add Spring Security to your project in the first place then if you don't want to use it?

GuillaumeDesforges commented 4 years ago

I want to use it, I already have some security set up on another branch in my project but I am trying to make things work incrementally and isolate the issue.

Could spring-boot-starter start something like a servelet that could prioritize on my application and use the autoconfiguration of spring-security ?

oliemansm commented 4 years ago

It adds a servlet for receiving graphql requests, yes. But again: this library doesn't configure anything regarding security. It doesn't even have a dependency on Spring Security. The default behavior of Spring Security is that it enables itself. So by the looks of it both graphql-spring-boot-starter and the Spring Security Starter are doing exactly what you'd expect them to do.

If you don't want to use Spring Security yet, then just remove the dependency for now or permitAll(), but I don't see any problem with this library related to this.

GuillaumeDesforges commented 4 years ago

When I setup the GraphQL servlet manually using graphql-java-servlet, the security issue does not happen. I suspect Spring is going weird automatic stuff behind the curtains when I add the complete starter. Anyway, thank you for your replies.

oliemansm commented 4 years ago

Closing this issue since behavior looks correct to me.