How do I disable the default GET request in spring as it is exposing all data?

Question

I have a Spring controller with the below mappings

@RestController
public class UserController {

    public UserService service;

    public UserController(UserService service) {
        this.service = service;
    }

    @PostMapping("/users/create")
    ResponseEntity<User> create (@RequestBody User user){
        return new ResponseEntity<>(this.service.create(user), HttpStatus.CREATED);
    }

    @GetMapping("/users/{id}")
    ResponseEntity<User> getById(@PathVariable Long id) {
        return ResponseEntity.ok(this.service.findById(id));
    }

    @GetMapping("/users/all")
    List<User> getAll() {
        return this.service.findAll();
    }

    @PutMapping("/users/{id}")
    User updateUser(@RequestBody User newUser, @PathVariable Long id) {
        return this.service.updateUser(newUser, id);
    }

    @DeleteMapping("/users/{id}")
    void deleteUser(@PathVariable Long id) {

        this.service.deleteById(id);
    }

}

and when I send a request to http://localhost:8080/users/all I get a list of all users as expected. But I noticed that if I send a GET request to just http://localhost:8080/users it returns a list with all the data as shown below

{
    "_embedded": {
        "users": [
            {
                "admin": false,
                "name": "Name",
                "_links": {
                    "self": {
                        "href": "http://localhost:8080/users/1"
                    },
                    "user": {
                        "href": "http://localhost:8080/users/1"
                    },
                    "tickets": {
                        "href": "http://localhost:8080/users/1/tickets"
                    }
                }
            },
            {
                "admin": false,
                "name": "Example",
                "_links": {
                    "self": {
                        "href": "http://localhost:8080/users/2"
                    },
                    "user": {
                        "href": "http://localhost:8080/users/2"
                    },
                    "tickets": {
                        "href": "http://localhost:8080/users/2/tickets"
                    }
                }
            }
        ]
    },
    "_links": {
        "self": {
            "href": "http://localhost:8080/users"
        },
        "profile": {
            "href": "http://localhost:8080/profile/users"
        }
    },
    "page": {
        "size": 20,
        "totalElements": 4,
        "totalPages": 1,
        "number": 0
    }
}

How come spring is able to return this data even though it has no explicit mapping and how can I disable it. This is just for a personal training exercise so security is not vital but I would like to know how to avoid this as I could have accidentally exposed all the data had this been real.

Any advice would be appreciated, thanks.

Update: As it has been suggested that the GET (/users/{id}) mapping was using a null value I commented it out and tried to call it again. Providing it with a number returned a 405 as the service no longer exists but I tried it with http://localhost:8080/users/ again but it still returned all the data shown above

Answer 1

It looks like you are using HATEOAS format in Spring Data Rest https://spring.io/projects/spring-data-rest.

You can try to disable it by setting paramerer: spring.data.rest.defaultMediaType=application/json

Answer 2

I've managed to find the the solution, adding :

@SpringBootApplication(exclude = RepositoryRestMvcAutoConfiguration.class)

to the main method will disable the HATEOAS functions

I found the solution from this post: Spring Data Rest Without HATEOAS