apache · xiazcy · Mar 23, 2026 · Mar 17, 2026
diff --git a/gremlin-dotnet/Examples/BasicGremlin/BasicGremlin.cs b/gremlin-dotnet/Examples/BasicGremlin/BasicGremlin.cs
@@ -20,6 +20,7 @@ under the License.
 using Gremlin.Net.Driver;
 using Gremlin.Net.Driver.Remote;
 using static Gremlin.Net.Process.Traversal.AnonymousTraversalSource;
+using static Gremlin.Net.Process.Traversal.__;
 
 public class BasicGremlinExample
 {
@@ -40,8 +41,8 @@ static async Task Main()
 
         // Be sure to use a terminating step like Next() or Iterate() so that the traversal "executes"
         // Iterate() does not return any data and is used to just generate side-effects (i.e. write data to the database)
-        g.V(v1).AddE("knows").To(v2).Property("weight", 0.75).Iterate();
-        g.V(v1).AddE("knows").To(v3).Property("weight", 0.75).Iterate();
+        g.V(v1).AddE("knows").To(Constant(v2)).Property("weight", 0.75).Iterate();
+        g.V(v1).AddE("knows").To(Constant(v3)).Property("weight", 0.75).Iterate();
 
         // Retrieve the data from the "marko" vertex
         var marko = await g.V().Has(VertexLabel, "name", "marko").Values<string>("name").Promise(t => t.Next());

diff --git a/gremlin-dotnet/Examples/Connections/Connections.cs b/gremlin-dotnet/Examples/Connections/Connections.cs
@@ -19,20 +19,20 @@ under the License.
 
 using Gremlin.Net.Driver;
 using Gremlin.Net.Driver.Remote;
-using Gremlin.Net.Structure.IO.GraphSON;
 using static Gremlin.Net.Process.Traversal.AnonymousTraversalSource;
 
 public class ConnectionExample
 {
     static readonly string ServerHost = Environment.GetEnvironmentVariable("GREMLIN_SERVER_HOST") ?? "localhost";
     static readonly int ServerPort = int.Parse(Environment.GetEnvironmentVariable("GREMLIN_SERVER_PORT") ?? "8182");
+    static readonly int SecureServerPort = int.Parse(Environment.GetEnvironmentVariable("GREMLIN_SECURE_SERVER_PORT") ?? "8183");
     static readonly string VertexLabel = Environment.GetEnvironmentVariable("VERTEX_LABEL") ?? "connection";
 
     static void Main()
     {
         WithRemoteConnection();
         WithConf();
-        WithSerializer();
+        WithBasicAuth();
     }
 
     // Connecting to the server
@@ -48,23 +48,30 @@ static void WithRemoteConnection()
         Console.WriteLine("Vertex count: " + count);
     }
 
-    // Connecting to the server with customized configurations
+    // Connecting to the server with customized connection settings
     static void WithConf()
     {
-        using var remoteConnection = new DriverRemoteConnection(new GremlinClient(
-        new GremlinServer(hostname: ServerHost, port: ServerPort, enableSsl: false, username: "", password: "")), "g");
+        var server = new GremlinServer(ServerHost, ServerPort);
+        var settings = new ConnectionSettings
+        {
+            ConnectionTimeout = TimeSpan.FromSeconds(30),
+        };
+        using var remoteConnection = new DriverRemoteConnection(
+            new GremlinClient(server, connectionSettings: settings), "g");
         var g = Traversal().With(remoteConnection);
 
         var v = g.AddV(VertexLabel).Iterate();
         var count = g.V().HasLabel(VertexLabel).Count().Next();
         Console.WriteLine("Vertex count: " + count);
     }
 
-    // Specifying a serializer
-    static void WithSerializer()
+    // Connecting with basic authentication using a request interceptor
+    static void WithBasicAuth()
     {
-        var server = new GremlinServer(ServerHost, ServerPort);
-        var client = new GremlinClient(server, new GraphSON3MessageSerializer());
+        var server = new GremlinServer(ServerHost, SecureServerPort, enableSsl: true);
+        var client = new GremlinClient(server,
+            connectionSettings: new ConnectionSettings { SkipCertificateValidation = true },
+            interceptors: new[] { Auth.BasicAuth("stephen", "password") });
         using var remoteConnection = new DriverRemoteConnection(client, "g");
         var g = Traversal().With(remoteConnection);
 

diff --git a/gremlin-dotnet/Examples/ModernTraversals/ModernTraversals.cs b/gremlin-dotnet/Examples/ModernTraversals/ModernTraversals.cs
@@ -47,8 +47,8 @@ This example requires the Modern toy graph to be preloaded upon launching the Gr
         var e2 = g.V(1).BothE().Where(OtherV().HasId(2)).ToList(); // (2)
         var v1 = g.V(1).Next();
         var v2 = g.V(2).Next();
-        var e3 = g.V(v1).BothE().Where(OtherV().Is(v2)).ToList(); // (3)
-        var e4 = g.V(v1).OutE().Where(InV().Is(v2)).ToList(); // (4)
+        var e3 = g.V(v1).BothE().Where(OtherV().Id().Is(v2)).ToList(); // (3)
+        var e4 = g.V(v1).OutE().Where(InV().Id().Is(v2)).ToList(); // (4)
         var e5 = g.V(1).OutE().Where(InV().Has(T.Id, Within(2, 3))).ToList(); // (5)
         var e6 = g.V(1).Out().Where(__.In().HasId(6)).ToList(); // (6)
 

diff --git a/gremlin-dotnet/docker-compose.yml b/gremlin-dotnet/docker-compose.yml
@@ -54,6 +54,7 @@ services:
       - DOCKER_ENVIRONMENT=true
       - GREMLIN_SERVER_HOST=gremlin-server-test-dotnet
       - GREMLIN_SERVER_PORT=45940
+      - GREMLIN_SECURE_SERVER_PORT=45941
       - VERTEX_LABEL=dotnet-example
     working_dir: /gremlin-dotnet
     command: >

diff --git a/gremlin-dotnet/src/Gremlin.Net/Driver/Auth.cs b/gremlin-dotnet/src/Gremlin.Net/Driver/Auth.cs
@@ -0,0 +1,194 @@
+#region License
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#endregion
+
+using System;
+using System.Text;
+using System.Threading.Tasks;
+using Amazon.Runtime;
+using Amazon.Runtime.Internal;
+using Amazon.Runtime.Internal.Auth;
+using Amazon.Runtime.Internal.Util;
+
+namespace Gremlin.Net.Driver
+{
+    /// <summary>
+    ///     Provides factory methods for built-in request interceptors.
+    /// </summary>
+    public static class Auth
+    {
+        /// <summary>
+        ///     Returns a request interceptor that adds an HTTP Basic Authentication header.
+        ///     The credentials are pre-computed once and set on every request.
+        /// </summary>
+        /// <param name="username">The username.</param>
+        /// <param name="password">The password.</param>
+        /// <returns>A request interceptor delegate.</returns>
+        public static Func<HttpRequestContext, Task> BasicAuth(string username, string password)
+        {
+            var encoded = Convert.ToBase64String(
+                Encoding.UTF8.GetBytes(username + ":" + password));
+            var headerValue = "Basic " + encoded;
+
+            return context =>
+            {
+                context.Headers["Authorization"] = headerValue;
+                return Task.CompletedTask;
+            };
+        }
+
+        /// <summary>
+        ///     Returns a request interceptor that signs requests using AWS Signature Version 4.
+        ///     If <paramref name="credentials"/> is null, the default AWS credential chain is
+        ///     used and the resolved provider is cached on first use (the provider itself handles
+        ///     credential refresh for expiring credentials like STS).
+        /// </summary>
+        /// <param name="region">The AWS region (e.g. "us-east-1").</param>
+        /// <param name="service">The AWS service name (e.g. "neptune-db").</param>
+        /// <param name="credentials">
+        ///     Optional AWS credentials. When null, the default credential chain is used.
+        /// </param>
+        /// <returns>A request interceptor delegate.</returns>
+        public static Func<HttpRequestContext, Task> SigV4Auth(
+            string region, string service, AWSCredentials? credentials = null)
+        {
+            // Cache the credential provider once when using the default chain.
+            AWSCredentials? cachedProvider = credentials;
+            var cacheLock = new object();
+
+            // Create signer and config once — both are stateless and thread-safe
+            var signer = new AWS4Signer();
+            var clientConfig = new SigningClientConfig
+            {
+                AuthenticationRegion = region,
+                AuthenticationServiceName = service,
+            };
+
+            return async context =>
+            {
+                if (cachedProvider == null)
+                {
+                    lock (cacheLock)
+                    {
+                        // FallbackCredentialsFactory only has a sync API, but this runs once.
+                        cachedProvider ??= FallbackCredentialsFactory.GetCredentials();
+                    }
+                }
+
+                // Use the async path — important for credential providers that perform
+                // network I/O (e.g. IMDS on EC2, ECS task role endpoint).
+                var immutableCreds = await cachedProvider.GetCredentialsAsync()
+                    .ConfigureAwait(false);
+                SignRequest(context, immutableCreds, signer, clientConfig);
+            };
+        }
+
+        private static void SignRequest(HttpRequestContext context,
+            ImmutableCredentials credentials, AWS4Signer signer, SigningClientConfig clientConfig)
+        {
+            // Build a DefaultRequest from the HttpRequestContext for the AWS SDK signer.
+            var endpointUri = new Uri(context.Uri.GetLeftPart(UriPartial.Authority));
+            var awsRequest = new DefaultRequest(new NullRequest(), clientConfig.AuthenticationServiceName)
+            {
+                HttpMethod = context.Method,
+                Endpoint = endpointUri,
+                ResourcePath = context.Uri.AbsolutePath,
+                Content = context.Body is byte[] bytes
+                    ? bytes
+                    : throw new InvalidOperationException(
+                        "SigV4 signing requires Body to be byte[]. " +
+                        "Ensure serialization occurs before the SigV4 interceptor."),
+                AuthenticationRegion = clientConfig.AuthenticationRegion,
+                OverrideSigningServiceName = clientConfig.AuthenticationServiceName,
+            };
+
+            // Copy headers (skip Host — signer adds it)
+            foreach (var header in context.Headers)
+            {
+                if (!string.Equals(header.Key, "Host", StringComparison.OrdinalIgnoreCase))
+                {
+                    awsRequest.Headers[header.Key] = header.Value;
+                }
+            }
+
+            // Copy query parameters
+            var query = context.Uri.Query;
+            if (!string.IsNullOrEmpty(query))
+            {
+                // Remove leading '?'
+                var queryString = query.StartsWith("?") ? query.Substring(1) : query;
+                foreach (var param in queryString.Split('&'))
+                {
+                    if (string.IsNullOrEmpty(param)) continue;
+                    var parts = param.Split(new[] { '=' }, 2);
+                    var key = Uri.UnescapeDataString(parts[0]);
+                    var value = parts.Length > 1 ? Uri.UnescapeDataString(parts[1]) : "";
+                    awsRequest.Parameters[key] = value;
+                }
+            }
+
+            // Set content hash header before signing
+            var payloadHash = context.GetPayloadHash();
+            awsRequest.Headers["x-amz-content-sha256"] = payloadHash;
+
+            // Sign the request
+            signer.Sign(awsRequest, clientConfig, new RequestMetrics(), credentials);
+
+            // Copy signed headers back to context. Cherry-pick the known SigV4 headers
+            // because the .NET Dictionary is case-sensitive and the AWS SDK may use
+            // different casing than what interceptors expect.
+            context.Headers["Host"] = endpointUri.Host;
+            if (awsRequest.Headers.ContainsKey("Authorization"))
+            {
+                context.Headers["Authorization"] = awsRequest.Headers["Authorization"];
+            }
+            if (awsRequest.Headers.ContainsKey("X-Amz-Date"))
+            {
+                context.Headers["X-Amz-Date"] = awsRequest.Headers["X-Amz-Date"];
+            }
+            context.Headers["x-amz-content-sha256"] = payloadHash;
+
+            // Add session token if temporary credentials
+            if (!string.IsNullOrEmpty(credentials.Token))
+            {
+                context.Headers["X-Amz-Security-Token"] = credentials.Token;
+            }
+        }
+
+        /// <summary>
+        ///     A minimal AmazonWebServiceRequest implementation required by DefaultRequest.
+        /// </summary>
+        private class NullRequest : AmazonWebServiceRequest
+        {
+        }
+
+        /// <summary>
+        ///     A minimal ClientConfig implementation for SigV4 signing.
+        /// </summary>
+        private class SigningClientConfig : ClientConfig
+        {
+            public override string RegionEndpointServiceName => "execute-api";
+            public override string ServiceVersion => "2024-01-01";
+            public override string UserAgent => "gremlin-dotnet";
+        }
+    }
+}