how to make a specific GraphQL query or mutation as public API in spring boot security?

Question

how to make a specific GraphQL query as public API in spring boot security?

In REST API, we can specify the URL as public like the following code

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return web -> web.ignoring().requestMatchers(CorsUtils::isPreFlightRequest)     
            .antMatchers("/actuator/**", "/graphiql/**", "/voyager/**", "/vendor/**");
}

How to do the same for specific GraphQL query or mutation ,

query {
     listEmployee(){
        id
     }
}

Answer 1

GraphQL uses a single endpoint for all queries and mutations. This is one of the main differences when compared to REST.

That means you cannot control its security at the URL level if you want a query or mutation to have different security settings than others as they all have the same URL. Instead every query and mutation is backed by their own resolver method. You can control security at the method level using @PreAuthorize etc… (More info) .