2

I am trying to disable GraphQL Introspection in my project and not having much luck with specific framework I am using. Some articles say it can be done in CcodeRegistry module but that is a decompiled source which is read only. Has anyone achieved this with the GraphQL-java-kickstart framework ?

Below are the dependencies in my pom file:

        <dependency>
            <groupId>com.graphql-java</groupId>
            <artifactId>graphql-java</artifactId>
            <version>${graphql.java.version}</version>
        </dependency>
        <dependency>
            <groupId>com.graphql-java-kickstart</groupId>
            <artifactId>graphql-java-tools</artifactId>
            <version>${graphql.java.tools.version}</version>
        </dependency>
        <dependency>
            <groupId>com.graphql-java</groupId>
            <artifactId>graphql-java-extended-validation</artifactId>
            <version>0.0.3</version>
        </dependency>
Improve this question

2 Answers 2

Reset to default
4

Graphql-java

With graphql-java, you build a GraphQLSchema using a GraphQLSchema.Builder. You need to set the builder visibility for the introspection field before building to disable the introspection query.

GraphQLSchema.Builder builder = GraphQLSchema.newSchema()
                                     .query(query)
                                     .mutation(mutation)
                                     .subscription(subscription)
                                     .additionalTypes(dictionary);

builder.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);

GraphQLSchema = builder.build();

You can use the graphql-java-tools implementation as a reference.

Graphql-java-tools

With graphql-java-tools, you build a SchemaParser using a SchemaParserBuilder. The SchemaParserBuilder needs a SchemaParserOptions object. When building the SchemaParserOptions, you can enable or disable the introspection query. Here is a very simplified implementation.

SchemaParserBuilder builder = new SchemaParserBuilder();
final SchemaParserOptions.Builder optionsBuilder = newOptions();
optionsBuilder.introspectionEnabled(introspectionEnabled);
return builder.options(optionsBuilder.build()).build();

You can use the graphql-spring-boot implementation as a reference.

Graphql-spring-boot

If you are using graphql-spring-boot, according to the graphql-java-tools README, you can disable the introspection query by setting the graphql.tools.introspection-enabled property to false in your application.properties or application.yml file.

graphql:
    tools:
        schema-location-pattern: "**/*.graphqls"
        # Enable or disable the introspection query. Disabling it puts your server in contravention of the GraphQL
        # specification and expectations of most clients, so use this option with caution
        introspection-enabled: false

Graphql-spqr

With Graphql-spqr, the idea is the same as in graphql-java: the setting the builder field visibility. See my answer to this question for how to implement it.

Netflix DGS:

5

dgs:
  graphql:
    introspection:
      enabled: false
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

the issue is that I am not using springboot, the project is based on Google Dagger 2, so has to be done through code.
Sorry I misread your dependencies. I updated my answer to cover graphql-java and graphql-java-tools.
@AllirionX Which version for spring boot made it worked because I upgraded to 5.4.1 from 4.0.0 and still it did not work with the given property mentioned. The only change with respect to your answer I have in my code is I use properties file instead of yml
@JalajChawla Sorry I don't have a graphql project running. According to my pom.xml file I was using graphql-spring-boot-starter 5.10.0
Thanks @AllirionX i just figured it out with a new project and it works in a spring boot graphql project for 5.4.1 . The one I tested as an example github.com/abhijaykumar/graphql-spring-boot-api
1

spring-boot-starter-graphql

In your application.yml

graphql:
  schema:
    introspection:
      enabled: false

It is implied here: https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/autoconfigure/graphql/GraphQlProperties.Schema.Introspection.html

I am aware that I am not answering the direct question but searches for related queries all end up here.

Improve this answer

1 Comment

It should be under the spring key though, like this: spring.graphql.schema.introspection.enabled

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.