Disable an action from RestController default behaviour

Question

I recently started learning the sping-boot framework and I'm trying to build a controller to handle users. I created a rest controller as follow:

@RestController
@RequestMapping("/users")
public class UserController {

    @Autowired
    UserRepository userRepository;
    @Autowired
    BCryptPasswordEncoder bCryptPasswordEncoder;

    @PostMapping("/sign-up")
    public void signUp(@RequestBody User user) {
        user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
        userRepository.save(user);
    }
}

and this is the model:

@Entity
@Table(name = "req_user")
public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    private String username;
    @JsonIgnore
    private String password;
    private String email;

    public User() { }

    public User(String username, String password, String email) {
        this.id = null;
        this.username = username;
        this.password = password;
        this.email = email;
    }

    ...

    @JsonIgnore
    public String getPassword() {
        return password;
    }

    @JsonProperty
    public void setPassword(String password) {
        this.password = password;
    }

    ...
}

end this is the repository:

@Repository
public interface UserRepository extends CrudRepository<User, Long> {

    User findByUsername(String username);

}

Now that works fine, but I want to disable some actions that are provided by RestController by default. In particular, I want to inhibit the possibility to view the list of all users and to delete one of them. What is the recommended way to do that?

Please explain. The controller is only going to expose methods that you create. — Brian, Dec 21 '17 at 17:28
You are mixing up with this perhaps: https://spring.io/guides/gs/accessing-data-rest/. — Brian, Dec 21 '17 at 17:28
Extending a repository interface (ex. `CrudRepository`, `JpaRepository`) will give you access to those internally, but unless you map a request, and implement the methods of which you reference, you aren't exposing this. I do suggest, as good practice, that you mark `userRepository` and `bCryptPasswordEncoder` as `private`, but again, that isn't exposing anything via HTTP. — Brian, Dec 21 '17 at 17:32
@Brian yes, I think it is something with the resource you linked, indeed I keep "HATEOAS stuff" in the response like _links and _embedded params. I tried to disable it in the application.properties with `spring.hateoas.use-hal-as-default-json-media-type=false` but it is still the same — SimoV8, Dec 21 '17 at 17:39
I don't see any references to HATEOAS in your code. Try looking at the settings I answered with here: https://stackoverflow.com/questions/28330716/how-to-disable-the-default-exposure-of-spring-data-rest-repositories/42905993#42905993. Also, this might help. I know the specific flavor is Mongo, but the pattern applies: https://stackoverflow.com/questions/29169717/how-to-prevent-some-http-methods-from-being-exported-from-my-mongorepository/29280226#29280226 — Brian, Dec 21 '17 at 17:46
But to be clear, this has nothing to do with the `@RestController` you present in your question, it is with respect to Spring Data Rest, which it sounds like you also have enabled. — Brian, Dec 21 '17 at 17:47
You're right: adding `spring.data.rest.detection-strategy=annotated` or removing `public` in front of the repository I get a 404 not found error (because by default public repositories are exposed). On the other hand, in this way I also lose access to /api/users/, but maybe it's better to define it myself? — SimoV8, Dec 21 '17 at 17:57
@Brian thank you, I've understood my mistake. If you write a response I'll accept it. — SimoV8, Dec 21 '17 at 18:07

Disable an action from RestController default behaviour

0 Answers0