0

My objective is to make sure that a client can't access (retrieve) directly an entity through the Spring Data REST auto-exposed APIs, but rather only to the views (JPA's projections) of those entities.

So far I've managed to achieve it only for the APIs that return a collection of entities (such as findAll() ) by using the @RepositoryRestResource(excerptProjection = CustomerView.class) annotation on the repository.

How to configure Spring Data REST so that it does the same also for endpoints that retrieve a specific entity? such as /api/v1/customers/1

Marco
  • 321
  • 3
  • 10

1 Answers1

0

See Why is an excerpt projection not applied automatically for a Spring Data REST item resource?

If you want to apply projection to a specific entity (that is, item resource), set the uri template variable projection to construct a url path /api/v1/customers/1?projection=customerView. The name customerView is what is set in the annotation @Projection. see the doc https://docs.spring.io/spring-data/rest/docs/current/reference/html/#projections-excerpts.projections

Edit after clarify with Macro:
Macro wants to hide some sentitive fields such as password. Then the jackson annotation @JsonIgnore should be added to the sentitive fields to hide them from response json.

yejianfengblue
  • 2,089
  • 1
  • 14
  • 18
  • So there is no way for single resource retrieval to decouple entities? Isn't this a core security issue? P.s: I tried to disable the endpoint `/api/v1/customers/1` but also the related projection endpoint was disabled automatically. – Marco Apr 23 '22 at 07:46
  • 1
    What do you me core security issue? Do you mean display the sensitive field such as `password` in Spring Data REST auto-exposed API? In such case, use jackson annotation `@JsonIgnore` to hide the sentitive fields. – yejianfengblue Apr 23 '22 at 08:16
  • Could you please clarify the definition of `single resource`? Is it [`item resource`](https://docs.spring.io/spring-data/rest/docs/current/reference/html/#repository-resources.item-resource) (opposite to [`collection resource`](https://docs.spring.io/spring-data/rest/docs/current/reference/html/#repository-resources.collection-resource)) such as `customers/1` and `customers/2`? Or the customer with the ID 1 only? – yejianfengblue Apr 23 '22 at 08:21
  • By single resource, I mean retrieval of a single entity rather than retrieval of a List of entities. In my case, single resource endpoint is: `/api/v1/customers/1` List endpoint is: `/api/v1/customers` Hope it clarifies. By the way, my need for a projection was indeed to hide sensitive data from the client, so `@JsonIgnore` could indeed be the answer I am looking for. – Marco Apr 23 '22 at 16:18
  • I edit my answer. Consider mark it accepted. – yejianfengblue Apr 24 '22 at 02:24