你可以在application.yml中为你想在没有授权的情况下执行的graphql操作定义一个属性。例如，在application.yml -> authorization中：排除操作：IntrospectionQuery
在WebSecurityConfig.java中，您可以如下绑定您的excludedOperation变量，@Value（“${authorization.excludedoperation}”）private String excludedOperations;
并将excludedOperation定义为GraphQLServletExecutor实现GraphQLServletExecutorImpl中的字段。在www.example.com中WebSecurityConfig.java，从返回GraphQLServletExecutor（SpqrMvcAutoConfiguration.graphQLExecutor的替换）newGraphQLExecutor的@Bean方法中，返回GraphQLServletExecutorImpl，并将excludedOperation作为构造函数参数之一。
在GraphQLServletExecutorImpl中，确保在execute函数中，只有当GraphQL请求中的OperationName不包含排除的操作（在您的情况下是IntrospectionQuery）时，您才进行授权。

public Map<String, Object> execute(GraphQL graphQL, GraphQLRequest graphQLRequest, NativeWebRequest nativeRequest) {

    ExecutionInput input = buildInput(graphQLRequest, nativeRequest, contextFactory, dataLoaderRegistryFactory);

    if (!excludedOperations.contains(graphQLRequest.getOperationName())) {
        
        // check the access_token
        HttpServletRequest request = nativeRequest.getNativeRequest(HttpServletRequest.class);
            bearerTokenAuthorizer.authorize(EMPTY_AUTH_ANNOTATION, request);
            //do your thing

    }

    return graphQL.execute(input).toSpecification();
}