I just noticed, that spring creates basic endpoints and I'd like to disable them.
What I mean is, that for example I have a UserController with the path /user and I only want users to see their own data. The problem is that spring seems to generate basic endpoint, therefore even if I didn't create a controller for it, I can access to every users data just by calling the endpoint /users, which, in a way, exposes the whole database to any logged user.
I don't know if it can help but I use those annotations :
@RestController
@RequestMapping("/user")
public class UserControllerImpl {
...
}
@Service
public class UserService {
...
}
@Repository
public interface UserRepository extends CrudRepository<User, Long> {
...
}
@Entity
public class User extends BaseEntity {
...
}
Could you tell me how to disable it ?
Thanks !
CodePudding user response:
Spring Framework hasn't any controllers, like UserController
.
You must append authentication and authorization in your project. The easiest way in Spring it's using Spring Security. But, it require a basic knowledge about it and can be too difficult for juniors and you couldn't understand how it works. You can read something like that article.
Maybe, If you just studying, would be better implements authentication and authorization self, for understanding, how it works. In simplest way it's not difficult.
CodePudding user response:
Thank you for your time!
I finally found the explanation there : https://docs.spring.io/spring-data/rest/docs/current/reference/html/#repository-resources.methods
So, one thing I didn't know is that "If you extend CrudRepository you usually expose all methods required to expose all HTTP resources we can register by default.".
And to disable that, you just need to annotate the class with @RestResource(exported = false) (or if you want some methods to remain exposed, you can annotate directly the methods you don't want to expose).
In my case I did :
@RestResource(exported = false)
@Repository
public interface UserRepository extends CrudRepository<User, Long> {
}