Prior to this commit, the GraphQL schema assembled by the
auto-configuration would provide no option for disabling the field
introspection.
While this feature is essential for many tools (including GraphiQL),
some prefer disabling it because this allows clients to gather
information about types and schema easily. This commit introduces a new
`spring.graphql.schema.introspection.enabled` configuration property.
Because potential attackers can still gather this information and this
feature is a core concern in the GraphQL spec, introspection is enabled
by default for Spring Boot applications.
Closes gh-29248
This commit configures security features for Spring GraphQL.
In the case of both MVC and WebFlux, this contributes
`DataFetcherExceptionResolver` instances to resolve security exceptions
and expose them as proper errors in the GraphQL response.
For MVC only, this also configures a
`SecurityContextThreadLocalAccessor`. This component ensures that the
security context is propagated between `ThreadLocal` and the Reactor
asynchronous execution.
See gh-29140
This commit auto-configures a GraphQL WebSocket endpoint for both Spring
MVC and Spring WebFlux. This is only enabled if the required libraries
are on the classpath and if the `"spring.graphql.websocket.path"`
property is defined.
See gh-29140
Spring GraphQL ships with a static version of the graphiql IDE for
exploring and querying GraphQL endpoints.
See https://github.com/graphql/graphiql for more information.
This commit auto-configures the GraphiQL handler for both MVC and
WebFlux and points GraphiQL to the GraphQL HTTP endpoint exposed by the
application. This feature is disabled by default and can be switched on
with "spring.graphql.graphiql.enabled=true".
See gh-29140
This commit configuresa new endpoint for printing in text format the
resolved GraphQL schema.
This endpoint is exposed by default under "/graphql/schema" and must be
enabled with "spring.graphql.schema.printer=true".
See gh-29140
This commit adds two new auto-configuration classes for Spring GraphQL
support. Once the base GraphQL infrastructure is in place, we can now
expose the `GraphQlService` over an HTTP transport.
Spring GraphQL supports both MVC and WebFlux, so this commit ships with
one auto-configuration for each.
Developers can configure the HTTP path where the GraphQL resource is
exposed using the `spring.graphql.path` configuration property (this
defaults to `"/graphql"`).
See gh-29140
This commit adds a new `FailureAnalyzer` for exceptions thrown when no
GraphQL schema file could be found.
This lists configured locations (with `"classpath:..."` notation) and
also resolved locations - this helps developers figure out how the
pattern are resolved and why schema files cannot be found.
See gh-29140
This commit adds the auto-configuration for setting up the base Spring
GraphQL infrastructure. Because GraphQL doesn't depend on any particular
transport, we must have a separate configuration for creating:
* the `GraphQlSource`, which holds the schema and the `GraphQL` instance
* the `GraphQlService` for executing incoming requests
* the `BatchLoaderRegistry` for batch loading support
* the `AnnotatedControllerConfigurer` for supporting the annotated
controllers programming model
This comes with a starting point for the `"spring.graphql.*"`
configuration properties; we can now configure the locations and file
extensions of GraphQL schema files we should load and configure at
startup.
See gh-29140
This commit maps the `server.servlet.session.cookie.same-site`
configuration property to the `DefaultCookieSerializer` bean configured
in the Spring Session auto-configuration.
See gh-28784
Update `ErrorPageSecurityFilterConfiguration` to guard against the case
where `spring-security-core` is on the classpath but
`spring-security-web` is not.
Fixes gh-28774
This commits exposes the RestClientBuilder as a bean even when the
RestHighLevelClient is not available. It allows users to create their
own RestClient beans using the Spring Boot configured RestClientBuilder
when they are not using the RestHighLevelClient.
Fixes gh-28655
