-
Notifications
You must be signed in to change notification settings - Fork 7
Server side security guide
Jan Martiska edited this page Mar 4, 2021
·
2 revisions
If you want to secure your GraphQL endpoint, you can do so using the standard declarative mechanisms available in WildFly. A very crude example for inspiration:
WEB-INF/web.xml:
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>graphql</web-resource-name>
<url-pattern>/graphql</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>The role that is required to log in</description>
<role-name>users</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>other</realm-name>
</login-config>
</web-app>
WEB-INF/jboss-web.xml:
<jboss-web>
<security-domain>other</security-domain>
</jboss-web>
Setting up the security domain - using the WildFly CLI:
/subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain)
If you need programmatic access to the user credentials, you may use the Elytron API inside your endpoint:
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
(...)
SecurityIdentity identity = SecurityDomain.getCurrent().getCurrentSecurityIdentity();
// inspect the identity object
Another option is to use the Jakarta EE Security API. This should make it possible to @Inject a javax.security.enterprise.SecurityContext into your GraphQL endpoint:
/subsystem=undertow/application-security-domain=other:write-attribute(name=enable-jacc, value=true)
/subsystem=undertow/application-security-domain=other:write-attribute(name=integrated-jaspi, value=false)
/subsystem=elytron/policy=jacc:add(jacc-policy={})
You might also need to declare a dependency on the org.glassfish.soteria module (including services=true) from your WAR file if you're getting an unsatisfied injection point error.