fix(#632): propagate spring security context

Propagate the Spring Security context if on the class path.

fix #632

Author: oliemansm

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/AsyncServletProperties.java

@@ -15,5 +15,6 @@ public class AsyncServletProperties {
   static class Threads {
     private int min = 10;
     private int max = 200;
+    private String namePrefix = "graphql-exec-";
   }
 }

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/DelegatingSecurityContextAsyncTaskDecorator.java

@@ -33,8 +33,11 @@ public class GraphQLServletProperties {
   private boolean exceptionHandlersEnabled = false;
   private long subscriptionTimeout = 0;
   private ContextSetting contextSetting = ContextSetting.PER_QUERY_WITH_INSTRUMENTATION;
-  private long asyncTimeout = 30000;
-  private boolean asyncModeEnabled = true;
+  /** @deprecated Use <tt>graphql.servlet.async.timeout</tt> instead */
+  @Deprecated private Long asyncTimeout;
+  /** @deprecated Use <tt>graphql.servlet.async.enabled</tt> instead */
+  @Deprecated private Boolean asyncModeEnabled;
+
   private String tracingEnabled = "false";
   private boolean actuatorMetrics;
   private Integer maxQueryComplexity;

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLServletProperties.java

@@ -0,0 +1,11 @@
+package graphql.kickstart.autoconfigure.web.servlet;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@Data
+@ConfigurationProperties("graphql.spring.security")
+public class GraphQLSpringSecurityProperties {
+
+  private boolean delegateSecurityContext = true;
+}

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLSpringSecurityProperties.java

@@ -68,6 +68,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -83,6 +84,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.http.HttpMethod;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
@@ -298,7 +300,11 @@ public GraphQLConfiguration graphQLServletConfiguration(
       @Autowired(required = false) BatchInputPreProcessor batchInputPreProcessor,
       @Autowired(required = false) GraphQLResponseCacheManager responseCacheManager,
       @Autowired(required = false) AsyncTaskDecorator asyncTaskDecorator,
-      @Autowired(required = false) Executor asyncExecutor) {
+      @Autowired(required = false) @Qualifier("graphqlAsyncTaskExecutor") Executor asyncExecutor) {
+    long asyncTimeout =
+        graphQLServletProperties.getAsyncTimeout() != null
+            ? graphQLServletProperties.getAsyncTimeout()
+            : asyncServletProperties.getTimeout();
     return GraphQLConfiguration.with(invocationInputFactory)
         .with(graphQLInvoker)
         .with(graphQLObjectMapper)
@@ -307,14 +313,34 @@ public GraphQLConfiguration graphQLServletConfiguration(
         .with(batchInputPreProcessor)
         .with(graphQLServletProperties.getContextSetting())
         .with(responseCacheManager)
-        .asyncTimeout(graphQLServletProperties.getAsyncTimeout())
+        .asyncTimeout(asyncTimeout)
         .with(asyncTaskDecorator)
         .asyncCorePoolSize(asyncServletProperties.getThreads().getMin())
         .asyncCorePoolSize(asyncServletProperties.getThreads().getMax())
         .with(asyncExecutor)
         .build();
   }
 
+  @Bean("graphqlAsyncTaskExecutor")
+  @ConditionalOnMissingBean(name = "graphqlAsyncTaskExecutor")
+  public Executor threadPoolTaskExecutor() {
+    if (isAsyncModeEnabled()) {
+      ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
+      executor.setCorePoolSize(asyncServletProperties.getThreads().getMin());
+      executor.setMaxPoolSize(asyncServletProperties.getThreads().getMax());
+      executor.setThreadNamePrefix(asyncServletProperties.getThreads().getNamePrefix());
+      executor.initialize();
+      return executor;
+    }
+    return null;
+  }
+
+  private boolean isAsyncModeEnabled() {
+    return graphQLServletProperties.getAsyncModeEnabled() != null
+        ? graphQLServletProperties.getAsyncModeEnabled()
+        : asyncServletProperties.isEnabled();
+  }
+
   @Bean
   @ConditionalOnMissingBean
   public GraphQLHttpServlet graphQLHttpServlet(GraphQLConfiguration graphQLConfiguration) {
@@ -332,7 +358,11 @@ public ServletRegistrationBean<AbstractGraphQLHttpServlet> graphQLServletRegistr
     } else {
       registration.setMultipartConfig(new MultipartConfigElement(""));
     }
-    registration.setAsyncSupported(graphQLServletProperties.isAsyncModeEnabled());
+    if (graphQLServletProperties.getAsyncModeEnabled() != null) {
+      registration.setAsyncSupported(graphQLServletProperties.getAsyncModeEnabled());
+    } else {
+      registration.setAsyncSupported(asyncServletProperties.isEnabled());
+    }
     return registration;
   }
 }

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWebAutoConfiguration.java

@@ -1,21 +1,61 @@
 package graphql.kickstart.autoconfigure.web.servlet;
 
-import graphql.kickstart.servlet.AsyncTaskDecorator;
+import graphql.kickstart.autoconfigure.web.OnSchemaOrSchemaProviderBean;
+import java.util.concurrent.Executor;
+import lombok.RequiredArgsConstructor;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.task.DelegatingSecurityContextAsyncTaskExecutor;
+import org.springframework.web.servlet.DispatcherServlet;
 
 @Configuration
+@RequiredArgsConstructor
+@ConditionalOnWebApplication(type = Type.SERVLET)
+@Conditional(OnSchemaOrSchemaProviderBean.class)
+@ConditionalOnProperty(
+    value = "graphql.servlet.enabled",
+    havingValue = "true",
+    matchIfMissing = true)
 @AutoConfigureBefore(GraphQLWebAutoConfiguration.class)
-@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
+@ConditionalOnClass({DispatcherServlet.class, DefaultAuthenticationEventPublisher.class})
+@EnableConfigurationProperties({
+  GraphQLServletProperties.class,
+  AsyncServletProperties.class,
+  GraphQLSpringSecurityProperties.class
+})
 public class GraphQLWebSecurityAutoConfiguration {
 
-  @Bean
-  @ConditionalOnMissingBean
-  public AsyncTaskDecorator delegatingSecurityContextAsyncTaskDecorator() {
-    return new DelegatingSecurityContextAsyncTaskDecorator();
+  private final GraphQLServletProperties graphqlServletProperties;
+  private final AsyncServletProperties asyncServletProperties;
+  private final GraphQLSpringSecurityProperties securityProperties;
+
+  @Bean("graphqlAsyncTaskExecutor")
+  @ConditionalOnMissingBean(name = "graphqlAsyncTaskExecutor")
+  public Executor threadPoolTaskExecutor() {
+    if (isAsyncModeEnabled() && securityProperties.isDelegateSecurityContext()) {
+      ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
+      executor.setCorePoolSize(asyncServletProperties.getThreads().getMin());
+      executor.setMaxPoolSize(asyncServletProperties.getThreads().getMax());
+      executor.setThreadNamePrefix(asyncServletProperties.getThreads().getNamePrefix());
+      executor.initialize();
+      return new DelegatingSecurityContextAsyncTaskExecutor(executor);
+    }
+    return null;
+  }
+
+  private boolean isAsyncModeEnabled() {
+    return graphqlServletProperties.getAsyncModeEnabled() != null
+        ? graphqlServletProperties.getAsyncModeEnabled()
+        : asyncServletProperties.isEnabled();
   }
 }