Authentication principal Spring security #663
-
First of all, thank you for your job! I am building the API as an oauth2 resource server, I've configured spring security and processed a jwt that gets stored along some user details, a pretty straightforward implementation. Would you have any recommendations or guidelines that I could follow? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments
-
I haven't tried it myself but I'd assume you would build out your |
Beta Was this translation helpful? Give feedback.
-
The problem that I have is that i can't retrieve the Not sure if I am correct as I am new to reactive programming.. Does it makes any sense to you? Would there be a way to keep the rest of reactor contexts in the query to perform things like |
Beta Was this translation helpful? Give feedback.
-
SpringBoot 2.x introduced full interop between Reactor and Coroutines. If in your security web filter you store AFAIK Spring security annotations won't work on GraphQL methods but you could use directives to achieve the same (directives would use information from your GraphQL context). |
Beta Was this translation helpful? Give feedback.
-
I Finally managed to get the security context, I did it this way and I think is non blocking..
Correct me please if I'm wrong. Then in the directive...
And then I end up doing this...
There is only one small question left, as you can see I'm raising an exception and Can you think of a better way to prevent the access to the resource, are there any performance inconvenient in raising an exception there. Thanks! |
Beta Was this translation helpful? Give feedback.
-
If user tries to access some unauthorized field then I think throwing exception is the right way to go. Side note if class CustomContextFactory : GraphQLContextFactory<CustomContext> {
override suspend fun generateContext(request: ServerHttpRequest, response: ServerHttpResponse): CustomContext {
val reactorContext = coroutineContext[ReactorContext]?.context ?: throw RuntimeException("reactor context unavailable")
val securityContext = reactorContext.getOrDefault(SecurityContext::class, null)
return CustomContext(securityContext = securityContext)
}
} |
Beta Was this translation helpful? Give feedback.
-
Thanks for the example, I think one this is different: |
Beta Was this translation helpful? Give feedback.
-
Hi All. See schema-first Kotlin Spring Boot GraphQL Server with Spring Security authentication and authorization example here: |
Beta Was this translation helpful? Give feedback.
I Finally managed to get the security context, I did it this way and I think is non blocking..