Add Spring Security auto-configuration

This commit adds two new auto-configuration classes that provide the
relevant Spring Security infrastructure for GraphQL applications:

* a `ThreadLocalAccessor` that propagates the security context in
Spring MVC applications
* `DataFetcherExceptionResolver` implementations that resolve security
  exception from data fetchers, for both MVC and WebFlux

Closes gh-81

Author: bclozel

build.gradle

@@ -38,7 +38,7 @@ configure(moduleProjects) {
 			mavenBom "io.projectreactor:reactor-bom:2020.0.7"
 			mavenBom "org.springframework:spring-framework-bom:5.3.7"
 			mavenBom "org.springframework.data:spring-data-bom:2021.0.1"
-			mavenBom "org.springframework.security:spring-security-bom:5.5.0"
+			mavenBom "org.springframework.security:spring-security-bom:5.5.1"
 			mavenBom "org.junit:junit-bom:5.7.2"
 		}
 		dependencies {

graphql-spring-boot-starter/build.gradle

@@ -38,6 +38,9 @@ dependencies {
 	compileOnly 'io.micrometer:micrometer-core'
 	compileOnly 'org.springframework.boot:spring-boot-actuator-autoconfigure'
 
+	compileOnly 'org.springframework.security:spring-security-config'
+	compileOnly 'org.springframework.security:spring-security-web'
+
 	compileOnly project(':spring-graphql-test')
 	compileOnly 'org.springframework.boot:spring-boot-test'
 
@@ -57,6 +60,9 @@ dependencies {
 	testImplementation 'org.apache.tomcat.embed:tomcat-embed-websocket'
 	testImplementation 'org.springframework.boot:spring-boot-actuator-autoconfigure'
 	testImplementation 'io.micrometer:micrometer-core'
+	testImplementation 'org.springframework.security:spring-security-config'
+	testImplementation 'org.springframework.security:spring-security-web'
+	testImplementation 'org.springframework.security:spring-security-test'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 

graphql-spring-boot-starter/src/main/java/org/springframework/graphql/boot/security/GraphQlWebFluxSecurityAutoConfiguration.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.graphql.boot.security;
+
+import graphql.GraphQL;
+
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.graphql.boot.GraphQlWebFluxAutoConfiguration;
+import org.springframework.graphql.security.ReactiveSecurityDataFetcherExceptionResolver;
+import org.springframework.graphql.web.webflux.GraphQlHttpHandler;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+
+/**
+ * {@link EnableAutoConfiguration Auto-configuration} for enabling Security support
+ * for Spring GraphQL with WebFlux.
+ *
+ * @author Brian Clozel
+ * @since 1.0.0
+ */
+@Configuration(proxyBeanMethods = false)
+@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
+@ConditionalOnClass({GraphQL.class, GraphQlHttpHandler.class, EnableWebFluxSecurity.class})
+@ConditionalOnBean(GraphQlHttpHandler.class)
+@AutoConfigureAfter(GraphQlWebFluxAutoConfiguration.class)
+public class GraphQlWebFluxSecurityAutoConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean
+	public ReactiveSecurityDataFetcherExceptionResolver reactiveSecurityDataFetcherExceptionResolver() {
+		return new ReactiveSecurityDataFetcherExceptionResolver();
+	}
+}

graphql-spring-boot-starter/src/main/java/org/springframework/graphql/boot/security/GraphQlWebMvcSecurityAutoConfiguration.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.graphql.boot.security;
+
+import graphql.GraphQL;
+
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.graphql.boot.GraphQlWebMvcAutoConfiguration;
+import org.springframework.graphql.security.SecurityContextThreadLocalAccessor;
+import org.springframework.graphql.security.SecurityDataFetcherExceptionResolver;
+import org.springframework.graphql.web.webmvc.GraphQlHttpHandler;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+
+/**
+ * {@link EnableAutoConfiguration Auto-configuration} for enabling Security support
+ * for Spring GraphQL with MVC.
+ *
+ * @author Brian Clozel
+ * @since 1.0.0
+ */
+@Configuration(proxyBeanMethods = false)
+@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
+@ConditionalOnClass({GraphQL.class, GraphQlHttpHandler.class, EnableWebSecurity.class})
+@ConditionalOnBean(GraphQlHttpHandler.class)
+@AutoConfigureAfter(GraphQlWebMvcAutoConfiguration.class)
+public class GraphQlWebMvcSecurityAutoConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean
+	public SecurityDataFetcherExceptionResolver securityDataFetcherExceptionResolver() {
+		return new SecurityDataFetcherExceptionResolver();
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public SecurityContextThreadLocalAccessor securityContextThreadLocalAccessor() {
+		return new SecurityContextThreadLocalAccessor();
+	}
+
+}

graphql-spring-boot-starter/src/main/java/org/springframework/graphql/boot/security/package-info.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Auto-configuration classes to configure
+ * {@link org.springframework.graphql.security.SecurityDataFetcherExceptionResolver},
+ * {@link org.springframework.graphql.security.SecurityContextThreadLocalAccessor} for Security support.
+ */
+@NonNullApi
+@NonNullFields
+package org.springframework.graphql.boot.security;
+
+import org.springframework.lang.NonNullApi;
+import org.springframework.lang.NonNullFields;

graphql-spring-boot-starter/src/main/resources/META-INF/spring.factories

@@ -1,9 +1,11 @@
 org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
-org.springframework.graphql.boot.actuate.metrics.GraphQlMetricsAutoConfiguration,\
 org.springframework.graphql.boot.GraphQlAutoConfiguration,\
 org.springframework.graphql.boot.GraphQlServiceAutoConfiguration,\
 org.springframework.graphql.boot.GraphQlWebFluxAutoConfiguration,\
-org.springframework.graphql.boot.GraphQlWebMvcAutoConfiguration
+org.springframework.graphql.boot.GraphQlWebMvcAutoConfiguration,\
+org.springframework.graphql.boot.actuate.metrics.GraphQlMetricsAutoConfiguration,\
+org.springframework.graphql.boot.security.GraphQlWebFluxSecurityAutoConfiguration,\
+org.springframework.graphql.boot.security.GraphQlWebMvcSecurityAutoConfiguration
 
 # Spring Test @AutoConfigureGraphQlTester
 org.springframework.graphql.boot.test.tester.AutoConfigureGraphQlTester=\

graphql-spring-boot-starter/src/test/java/org/springframework/graphql/boot/GraphQlDataFetchers.java

@@ -22,6 +22,8 @@
 import graphql.schema.DataFetcher;
 import reactor.core.publisher.Flux;
 
+import org.springframework.lang.Nullable;
+
 public final class GraphQlDataFetchers {
 
 	private static List<Book> books = Arrays.asList(new Book("book-1", "GraphQL for beginners", 100, "John GraphQL"),
@@ -33,13 +35,20 @@ private GraphQlDataFetchers() {
 	}
 
 	public static DataFetcher getBookByIdDataFetcher() {
-		return (environment) -> books.stream().filter((book) -> book.getId().equals(environment.getArgument("id")))
-				.findFirst().orElse(null);
+		return (environment) -> getBookById(environment.getArgument("id"));
+	}
+
+	public static DataFetcher getBooksOnSaleDataFetcher() {
+		return (environment) -> getBooksOnSale(environment.getArgument("minPages"));
+	}
+
+	@Nullable
+	public static Book getBookById(String id) {
+		  return books.stream().filter((book) -> book.getId().equals(id)).findFirst().orElse(null);
 	}
 
-	public static DataFetcher getBooksOnSale() {
-		return (environment) -> Flux.fromIterable(books)
-				.filter((book) -> book.getPageCount() >= (int) environment.getArgument("minPages"));
+	public static Flux<Book> getBooksOnSale(int minPages) {
+		return Flux.fromIterable(books).filter((book) -> book.getPageCount() >= minPages);
 	}
 
 }