Need help setting up security -- GraphiQL vs real calls

[aronAtWex]

I don't know where else to ask this question.
I'm also not an expert on Spring Security.

We have an existing REST API (spring boot and all our security layers already being used). My company is needing create a new API, and GraphQL seem to be the perfectly for for its use case.
I have all the GraphQL query running locally, just need to add security.
I'm running into issues with allowing graphiql - IntrospectionQuery through with no security, but all other queries to have security.
Same URI - /api/graphQL
How do I secure one, but not the other when both paths and methods are the same?

I have been playing with the Spring Boot Security SecurityFilterChain
So far I need to allow the path to get the graphiQL to work.
.requestMatchers(HttpMethod.POST, "/api/graphql").permitAll()

When I make call to my new query, it seems like anonymous SecurityContext is called and not the Authorization Header I passed in.

Recapping one more time.
POST /api/graphql query IntrospectionQuery - allow through with no security
POST /api/graphql query getData - need to secure it.

How to handle this in the Spring Boot Security Filter Chain?

[bclozel]

I think this is similar to this question on StackOverflow: you will need to annotated your controllers accordingly. Parsing the GraphQL request requires too much knowledge and a single request can contain many queries/mutations, so this cannot be enforced at the HTTP request level.

[rstoyanchev]

This is also mentioned in https://docs.spring.io/spring-graphql/reference/security.html.