Can I disable some classes from being in API in java?

Question

I'm developping my very first app (a card game) where I use SpringBoot as back and Angular as front, they comunicate via API. For this, I have a couple of @RestController where I have every methods I need (get, post, put, delete) for classes match : /api/matches and user : /api/users like the following :

@RestController
@CrossOrigin("*")
@RequestMapping("/matches")
public class MatchApiController {

    @GetMapping
    public List<Match> findAll() {
        //blabla
    }

    //Other methods
}

And my classes are like this :

@Entity
@Table(name = "`match`")
public class Match {
    //stuff
}

The app is working as intended but, I somehow found out that I can call other classes from my model in API. For example, if I go to /api/cards I can see every cards of the database, which is very not much appreciated. Even worse : if I go to /api/users I can see every user with their encrypted password ... Actually, the API returns everything that is in the database, is that normal ? Am I missing something here ?

So my statement is the following :

Technically, I only need to retrieve match informations through /api/matches/4 for example. I also need the methods in the couple @RestController.

I don't need any other information in /api.

Is there any way to 'disable' classes I don't need in API ?

Or do I have to manually block them ? Maybe is there a simpler way to do this ?

What classes do you have annotated with `@RestController`? can you show then and also the methods ? — Jorge Campos, Jun 25 '20 at 16:19
1. If you implement findAll then everything is returned. So you should not provide these if you don't need it. 2. you should add security that only logged in users can see the data they are allowd to — Simon Martinelli, Jun 25 '20 at 16:33
Thank you guys for the effort but I think I found a solution that suits, I updated the post. — Anthony, Jun 25 '20 at 16:41

Anthony · Answer 1 · 2020-06-25T22:42:29.430

I have found a way in the end, I could have probably saved the effort of this question, sorry.

If anyone interested : I used this and it seems to be a good solution :

first, I created a @Configuration class :

@Configuration
public class RestConfig implements RepositoryRestConfigurer {
    
    @Override
    public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {
        config.disableDefaultExposure();
    }
}

and I added the specific api access I needed such as /api/matches/{id} :

@GetMapping("/{id}")
    public Match findById(@PathVariable int id) {
        return new Match(this.daoMatch.findById(id)
                .orElseThrow(MatchNotFoundException::new));
    }

Hey, great that you found a solution. Can you type it up, instead of just linking? — f.khantsis, Jun 25 '20 at 18:33

Can I disable some classes from being in API in java?

1 Answers1