How to handle security (authn/authz) with DGS Subscriptions and spring security ?

[lthoulon-locala]

Hi,

I've been struggling all day trying to make DGS subscriptions work with spring security.

I'm up to the point where if I authorize("/subscriptions",permitAll) while configuring my SecurityWebFilterChain then everything is working.

Now I need to make sur that the user is properly authenticated and authorized. I use ReactiveMetodSecurity with @PreAuthorize("hasAuthority('read')") or hasPermission(#id, 'entity', 'read:restricted') directly on the @DgsSubscription method.

I'm not sure how I should be handling this here as my understanding is that I get the token on the connection_init message.
My understanding is that permitting the /subscriptions endpoint is mandatory but that I need to do something more afterwards.

Do you have any documentation or pointers on the matter ?
Thanks you.

[lthoulon-locala]

This may be an interesting resource regarding this subject: #1442