I'd like to be able to start 2 or more graphql servlets on different paths. This way I

Glad to hear it! I think it is, yeah.Best,Michiel <span class="

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

2 graphql servlets,about graphql-java-kickstart/graphql-spring-boot

Comments (9)

oliemansm commented on June 30, 2024 1

Instead of `.antMatchers("/graphql").authenticated()` try to `.antMatchers("/graphql").permitAll()`. You're `@PreAuthorize` annotations should still work while anonymous access is also allowed. Instead of doing basic auth on the servlet endpoint itself, you can create a mutation to create a token given a username and password, e.g. ``` mutation createSession(input: {username:"foo", password:"bar"}) { token } ``` Have the server generate a JWT token for example for this mutation. Use middleware to add this token in the Authorization header with each GraphQL request. Add a authentication filter in the Spring Security Chain to check the token and load the user in the Security Context. You can specify that the session should be stateless in the security configuration. I was trying to find an example to answer your stackoverflow question, but couldn't find one yet and hadn't come around to it create one myself. Does the above help you? Best, Michiel Groet, Michiel

…

________________________________ From: rolandkozma <[email protected]> Sent: Tuesday, September 5, 2017 10:08:04 AM To: graphql-java/graphql-spring-boot Cc: Michiel Oliemans; Comment Subject: Re: [graphql-java/graphql-spring-boot] 2 graphql servlets (#29) Can you give me please a spring/spring-boot solution to have some graphql operation that can be anonymously accessed, while others are secured? If I secure the "/graphgl" endpoint with .antMatchers("/graphql").authenticated(), I can use @PreAuthorize<https://github.com/preauthorize> annotations on service methods to restrict existing roles, but anonymous users are not allowed access at all. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#29 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AM5FQMbBIYMUlAiF1ikbtcMeKyFkNXBBks5sfQFkgaJpZM4PKBiG>.

from graphql-spring-boot.

oliemansm commented on June 30, 2024

I wouldn't configure Spring Security on servlets like that, but annotate the actual service methods that are being called by the GraphQL resolvers. That way you can authorize differently per query or mutation level, and filter response objects based on the principal.

from graphql-spring-boot.

rolandkozma commented on June 30, 2024

Thanks oliemansm! Indeed, it would be great to be able to do it that way, but I'm struggling with the configurations. I asked for help here:
https://stackoverflow.com/questions/45959234/authentication-in-spring-boot-using-graphql
Could you help me out answering my question on stackoverflow?

from graphql-spring-boot.

rolandkozma commented on June 30, 2024

Can you give me please a spring/spring-boot solution to have some graphql operation that can be anonymously accessed, while others are secured?
If I secure the "/graphgl" endpoint with .antMatchers("/graphql").authenticated(), I can use @PreAuthorize annotations on service methods to restrict existing roles, but anonymous users are not allowed access at all.

from graphql-spring-boot.

rolandkozma commented on June 30, 2024

Thank you very much for your suggestions! I'm going to try to implement them right away. I'll let you know about my progress.

from graphql-spring-boot.

rolandkozma commented on June 30, 2024

I'm happy to let you know that we solved the issue. The filter was not even needed. Spring is able to restore the session from redis if it is persisted as Spring expects. I answered my question on stackoverflow. Thanks a lot for your suggestions!
Is it a best practice to have the login/logout operations as mutations?

from graphql-spring-boot.

oliemansm commented on June 30, 2024

Glad to hear it! I think it is, yeah. Best, Michiel

…

________________________________ From: rolandkozma <[email protected]> Sent: Wednesday, September 6, 2017 11:07:51 AM To: graphql-java/graphql-spring-boot Cc: Michiel Oliemans; Comment Subject: Re: [graphql-java/graphql-spring-boot] 2 graphql servlets (#29) I'm happy to let you know that we solved the issue. The filter was not even needed. Spring is able to restore the session from redis if it is persisted as Spring expects. I answered my question on stackoverflow. Thanks a lot for your suggestions! Is it a best practice to have the login/logout operations as mutations? — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#29 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AM5FQJUsoPm3EiX8fdL3L-rkKViMSnpsks5sfmDngaJpZM4PKBiG>.

from graphql-spring-boot.

smastika commented on June 30, 2024

@rolandkozma @oliemansm Hi guys interesting thread, any possibility to show an example using JWT and some service? I saw the answer in the Stackoverflow question but would appreciate some more details, if you could share some code, it would be awesome.

KR/ Smas

from graphql-spring-boot.

roland-kozma commented on June 30, 2024

Hi @smastika. I don't have anything with JWT and now I'm working on a different project.
But I still have the code of that project and if you want I can look into it and give you more details.
We can have a short chat on skype: roland.kozma or on email: [email protected]

Regards,
Roland

from graphql-spring-boot.

2 graphql servlets about graphql-spring-boot HOT 9 CLOSED

Comments (9)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent