Spring Supports GraphQL requests over HTTP, Websockets and RSockets. Securing an Spring GraphQL application does not differ from securing a Web application. Mainly, Spring GraphQL needs to ensure context propagates from WebFlux to the data fetching layer so that we can use Security annotations or access the authenticated principal in @SchemaMapping methods. This should work for HTTP and WebSocket. By Ruchira Madhushan Rajapaksha.
In this tutorial, we will develop a Reactive Spring boot application that secures an exposed GraphQL API using JWT authentication. We will be having a separate rest endpoint to generate the JWT, which we will use to validate the GraphQL endpoint. For more information about JWT, just refer to the following guide.
Further in this article you will find information on:
- Application Setup with SpringBoot
- JWT Utility
- Spring Security Configuration
- SecurityContextRepository
- AuthenticationManager
To apply more fine-grained security, we can add Spring Security annotations such as @PreAuthorize or @Secured to service methods involved in fetching specific parts of the GraphQL response. This should work due to Context Propagation that aims to make security, and other contexts, available at the data fetching level. Interesting read!
[Read More]