Latest 15.0.0 version is not compatible with Spring boot 3.0.2 and spring security 6.0.1

[mkrajina]

Describe the bug After doing regular library upgrade in one of our project I got issues with the security of our "/graphql" endpoint. My security settings are not applied to the "/graphql" endpoint. So my graphql endpoint it publicly available in theory. Because of the PreAuthorize annotations every request fail because no security context is available. I verified that my security settings where working correctly with an additional rest endpoint where everything worked like expected. The issue was only there with the "/graphql" endpoint I tried everything in a clean small project. The same result

To Reproduce Steps to reproduce the behavior:

1. Get latest spring boot version (3.0.2) and spring security version (6.0.1)
2. Secure with a simple basic auth the "/graphql" endpoint
3. Run the application
4. Try graphql query without any Authorization Header -> Request passed
5. Add @PreAuthoirze annotation on graphql function implementation and try request again -> Error "An Authentication object was not found in the SecurityContext"

Expected behavior Spring security settings are securing "/graphql" endpoint

Additional context With previous version of your library and spring boot 2.7.4 and spring security 5.7.3 everything worked as expected. I attached a small demo security project as an example security-demo.zip

[ralbertsasrc]

Just curious, any workaround for the time being?

[ghoshrahul]

I have faced the similar issue while upgrading spring boot to version 3 and spring security to version 6.

The solution that worked for me was using {*graphql} as the path pattern instead of /graphql.

You can read up the following docs for more details:-

1. Path Pattern Javadoc
2. Url Matching doc

I can't find the current link, but spring security mostly moved to PathPattern Matching mechanism

[mkrajina]

Thanks @ghoshrahul, your solution worked. Tested it today.