Latest 15.0.0 version is not compatible with Spring boot 3.0.2 and spring security 6.0.1
mkrajina opened this issue · 3 comments
Describe the bug
After doing regular library upgrade in one of our project I got issues with the security of our "/graphql" endpoint.
My security settings are not applied to the "/graphql" endpoint. So my graphql endpoint it publicly available in theory. Because of the PreAuthorize annotations every request fail because no security context is available.
I verified that my security settings where working correctly with an additional rest endpoint where everything worked like expected.
The issue was only there with the "/graphql" endpoint
I tried everything in a clean small project. The same result
To Reproduce
Steps to reproduce the behavior:
- Get latest spring boot version (3.0.2) and spring security version (6.0.1)
- Secure with a simple basic auth the "/graphql" endpoint
- Run the application
- Try graphql query without any Authorization Header -> Request passed
- Add @PreAuthoirze annotation on graphql function implementation and try request again -> Error "An Authentication object was not found in the SecurityContext"
Expected behavior
Spring security settings are securing "/graphql" endpoint
Additional context
With previous version of your library and spring boot 2.7.4 and spring security 5.7.3 everything worked as expected.
I attached a small demo security project as an example
security-demo.zip
Just curious, any workaround for the time being?
I have faced the similar issue while upgrading spring boot to version 3 and spring security to version 6.
The solution that worked for me was using {*graphql} as the path pattern instead of /graphql.
You can read up the following docs for more details:-
I can't find the current link, but spring security mostly moved to PathPattern Matching mechanism
Thanks @ghoshrahul, your solution worked. Tested it today.