Spring Boot GraphQL Tutorial #34 – Subscription Authorization

In this example we add authentication over websocket. This will secure the GraphQL subscriptions with Spring Security Pre-Auth and also show hook points to add your own authorization. We will use the playground example to show how the Apollo client passes the websocket frames from the browser to the server.

In episode 33 we created some subscriptions, in this example will secure the GraphQLSubscriptionResolver methods with @PreAuthorize spring security annotation (Roles).

In order to secure the subscriptions we create a component that implements the ApolloSubscriptionConnectionListener.

The GraphQL client will a connection_init frame to the server first. It is at this point that you must fully authenticate the request. If invalid, all following frames / GraphQL operations will be rejected.
If valid auth, we save the user token into the websocket session user properties. The token is not saved into the SecurityContextHolder at this point due to Tomcat NIO websocket thread processing. See the code and linked PR for more details.

When the start frame is requested and being processed. It will have access to the same websocket session and can retrieve the user token. The token can then be saved in SpringSecurityContext for method level authorization or simple fetched from the DataFetchingEnvironment GraphQLWebSocketContext user properties.

When a failure occurs and is pushed to the client, the client can send a stop frame.

Both parties can initiate a termination of the websocket.

An Inactive websocket is kept alive by pushing a sample message every 15 seconds. These are ignored by the client.

See you in the next chapter!
Cheers
Philip