通过 GraphQL 使用 Spring 安全性
Using Spring Security with GraphQL
在我的 WebSecurityConfigurerAdapter 中,我使用了以下方法:
private final AuthenticationProvider authenticationProvider;
private final JWTFilter jwtFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().disable()
.authorizeRequests()
.antMatchers("/graphql").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class); // Filter
}
但是,在我的 GraphQLMutationResolver 中,我无法访问以下方法(错误代码:403 - 无日志):
@PreAuthorize("isAnonymous()")
public User registerUser(String email, String passwordHash, String associationLocation) throws ChangeSetPersister.NotFoundException {
return userService.registerUser(email, passwordHash, associationService.findAssociationByPlaceName(associationLocation));
}
关于安全配置有什么想法吗? - @PreAuthorize("isAnonymous()") - 部分是否正确?
感谢@Marcus-Hert-da-Coregio,我找到了一种调试应用程序的方法,并发现问题是由我编写 HTTPSecurity-Configuration-Statements 的顺序引起的 - 类似于以下内容post:
这对我有用(所以最后需要禁用 csrf 和 cors):
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/graphql").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class) // Filter
.cors().disable()
.csrf().disable();
}
在我的 WebSecurityConfigurerAdapter 中,我使用了以下方法:
private final AuthenticationProvider authenticationProvider;
private final JWTFilter jwtFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().disable()
.authorizeRequests()
.antMatchers("/graphql").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class); // Filter
}
但是,在我的 GraphQLMutationResolver 中,我无法访问以下方法(错误代码:403 - 无日志):
@PreAuthorize("isAnonymous()")
public User registerUser(String email, String passwordHash, String associationLocation) throws ChangeSetPersister.NotFoundException {
return userService.registerUser(email, passwordHash, associationService.findAssociationByPlaceName(associationLocation));
}
关于安全配置有什么想法吗? - @PreAuthorize("isAnonymous()") - 部分是否正确?
感谢@Marcus-Hert-da-Coregio,我找到了一种调试应用程序的方法,并发现问题是由我编写 HTTPSecurity-Configuration-Statements 的顺序引起的 - 类似于以下内容post:
这对我有用(所以最后需要禁用 csrf 和 cors):
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/graphql").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class) // Filter
.cors().disable()
.csrf().disable();
}