How to handle security (authn/authz) with DGS Subscriptions and spring security?
I'm mirroring a question asked directly on GitHub here.
I'm up to the point where if I authorize("/subscriptions",permitAll) while configuring my SecurityWebFilterChain then I can successfully use my subscription queries. However, that removes all the security. I would have liked to do: authorize("/subscriptions",hasAuthority("access"))
Anyway, now I need to make sur that the user is properly authenticated and authorized. I use ReactiveMetodSecurity with @PreAuthorize("hasAuthority('read')") or hasPermission(#id, 'entity', 'read:restricted') directly on the @DgsSubscription method.
This works in a way: hasAuthority is triggered although it responds with false. As far as I know that's because the Authentication object has not been initialized with the token.
It's most likely because there is no default behavior to intercept the connection_init message that contains the token.
Thus I'm wondering: how can I fetch that connection_init message and set the Authentication so that it's picked up by spring ?
Thanks
EDIT 1: I've been able to successfully authenticate from a SecurityWebFilterChain point of view. The Authentication object however is not available in the @DgsSubscription. I can access it though using the workaround explained here. That means I now have a solution although this won't be working with a connection_init provided Authorization. Also it will require me to add a level to my objects to have the PreAuthorization work.
Here is was I was able to do with the auth header in the handshake request:
@Component
class DgsSecurityContextBuilder : DgsReactiveCustomContextBuilderWithRequest<Authentication> {
override fun build(
extensions: Map<String, Any>?,
headers: HttpHeaders?,
serverRequest: ServerRequest?
): Mono<Authentication> = ReactiveSecurityContextHolder.getContext().map { it.authentication }
}
@DgsComponent
class AggregateSubscriptions(val handler: AggregateSubscriptionsHandler) {
@DgsSubscription
fun aggregateNotifications(
@InputArgument id: UUID,
@InputArgument notificationTypes: List<NotificationType>?,
dfe: DataFetchingEnvironment
) = let {
val auth = DgsContext.getCustomContext<Authentication>(dfe)
handler.aggregateNotifications(id, notificationTypes, auth)
}
}
@Component
class AggregateSubscriptionsHandler {
@PreAuthorize("@myPermissionEvaluator.hasAuthority(#auth, '$AGGREGATE_READ')")
fun aggregateNotifications(id: UUID, notificationTypes: List<NotificationType>?, auth: Authentication) =
Flux.interval(Duration.ofMillis(1000))
.map {
Notification.Builder()
.withAggregateId(id.toString())
.withNotificationType(NotificationType.AdvertiserAdded)
.withPayload(listOf(KeyValue.Builder().withKey("t").withValue(it.toString()).build()))
.build()
}
}
That's the only way I found to currently handle authz in subscription requests
Hopefully we'll get a fix soon that will allow us to use the connection_init message.
See: https://github.com/Netflix/dgs-framework/issues/1442 and https://github.com/Netflix/dgs-framework/issues/450
- maven-shade-plugin - Cannot find 'resource' in class org.apache.maven.plugins.shade.resource.ManifestResourceTransformer
- How to call another api from same app in spring boot
- Spring initializing the @Value annotation property from a static field
- 403 Forbidden when introducing authorization on spring boot rest
- org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Unrecognized field "error" not marked as ignorable
- Stackoverflow when evaluate expression intellij with JPA Spring Boot
- Spring Boot - no log file written (logging.file is not respected)
- How can I create two beans of same class in a Spring Context?
- How to inject multiple implementations of same type with Spring Boot?
- How to log the active configuration in a Spring Boot application?
- Cannot debug / stop a springboot app with IntelliJ Idea community
- How to manage application.properties in Github CI/CD
- spring boot application running but endpoint throwing 404
- GraalVM native image build fails using EclipseStore: Unable to access java.util.Collections$SetFromMap despite --add-opens
- Designing one-to-one and one-to-many relationships in Spring Data R2DBC
- Spring Boot - Custom JsonDeserializer is ignored
- How to change the background color of Anchore
- Spring Security error creating bean with name 'securityConfig': Injection of autowired dependencies failed
- @Transactional rollback is not working in spring boot application?
- Swagger declaration schema = @Schema(implementation = Map.class) represents Schema as String in swagger-ui
- Is there a way to disable Testcontainers depending on Spring profile?
- Use Entra ID as Identity Provider for Client Credentials flow
- How to collect all fields annotated with @RequestParam into one object
- Adding a new package broke my Spring Boot Application
- Spring boot validation problem: understanding the MethodArgumentNotValidException
- Are multiple requests handled by single thread in Spring Boot until certain requests threshold is reached?
- SpringBoot OpenAPI definition polymorphism with anyOf and discriminatorProperty
- Compilation error after upgrading to JDK 21 - "NoSuchFieldError: JCImport does not have member field JCTree qualid"
- Springboot endpoint 403 OPTIONS when doing a POST request
- Springboot not triggering custom authentication for my loaduserbyusername method