Using Spring Security with GraphQL

Question

In my WebSecurityConfigurerAdapter I am using the following methods:

    private final AuthenticationProvider authenticationProvider;
    private final JWTFilter jwtFilter;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors().disable()
                .authorizeRequests()
                .antMatchers("/graphql").permitAll()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class); // Filter
    }

However, in my GraphQLMutationResolver I cannot access the following method (error-code: 403 - no logs):

@PreAuthorize("isAnonymous()")
public User registerUser(String email, String passwordHash, String associationLocation) throws ChangeSetPersister.NotFoundException {
        return userService.registerUser(email, passwordHash, associationService.findAssociationByPlaceName(associationLocation));
}

Any ideas concerning the security configuration? - is the @PreAuthorize("isAnonymous()")-Part correct?

Add the property `logging.level.spring.framework.security=TRACE` in your `application.properties` file. This you help to see the logs and you can add it in the question — Marcus Hert da Coregio, Jun 18 '21 at 14:20

score 0 · Accepted Answer · answered Jun 18 '21 at 20:18

Thanks to @Marcus-Hert-da-Coregio I have found a way to debug the app and figured out that the issue was caused by the order in which I wrote my HTTPSecurity-Configuration-Statements - similar to the following post: Spring security always returns HTTP 403

This works for me (so csrf and cors need to be disabled at the end):

@Override
protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/graphql").permitAll()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class) // Filter
                .cors().disable()
                .csrf().disable();
}

Using Spring Security with GraphQL

1 Answers1