Principal is null when executing requests over WebSocket with Spring MVC

[maxhov]

When executing GraphQL requests through websockets, the injected Principal is null. I tried with and without the introduced @AuthenticatedPrincipal annotation, but without a succesful result. Through the HTTP transport, the Principal is injected and everything works as expected.

To demonstrate the issue, I created a demo repo with a basic Spring Boot 2.7.0-m3 application.

To reproduce the issue for the websocket transport with websocat:

~  spring-graphql-principal$ websocat --basic-auth user:password ws://localhost:8080/graphql
**{"type":"connection_init"}**
{"id":null,"type":"connection_ack","payload":{}}
**{"id":"1","type":"subscribe","payload":{"query":"{ helloWorld }"}}**
{"id":"1","type":"next","payload":{"errors":[{"message":"Cannot invoke \"java.security.Principal.getName()\" because \"principal\" is null","locations":[{"line":1,"column":3}],"path":["helloWorld"],"extensions":{"classification":"INTERNAL_ERROR"}}],"data":{"helloWorld":null}}}
{"id":"1","type":"complete","payload":{}}

To see the result for the HTTP transport, use the following curl command:

curl --location --request POST 'http://localhost:8080/graphql' \
--header 'Authorization: Basic dXNlcjpwYXNzd29yZA==' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"{ helloWorld }"}'

Seems to be somewhat related to #268 . I tried to pinpoint where it goes wrong, but couldn't figure it out. My first guess would be that the ThreadLocal variables from e.g. the SecurityContext are not properly transferred to the thread handling the actual query.

[rstoyanchev]

Thanks for the sample.

We do attempt to propagate per WebSocket message but the SecurityContext was established on a different thread during the handshake, so we need to bridge but it seems GraphQlWebSocketHandler alone is not sufficient because afterSessionEstablished is also not on the initial thread. We'll likely use a HandshakeInterceptor to capture the context during the handshake and save it in the WebSocketSession attributes, and that'll require a change in the Boot starter as well.