Spring data rest - Is there a way to restrict the supported operations?
Solution 1
From the Spring docs on Hiding repository CRUD methods:
16.2.3. Hiding repository CRUD methods
If you don’t want to expose a save or delete method on your CrudRepository, you can use the @RestResource(exported = false) setting by overriding the method you want to turn off and placing the annotation on the overriden version. For example, to prevent HTTP users from invoking the delete methods of CrudRepository, override all of them and add the annotation to the overriden methods.
@RepositoryRestResource(path = "people", rel = "people") interface PersonRepository extends CrudRepository<Person, Long> { @Override @RestResource(exported = false) void delete(Long id); @Override @RestResource(exported = false) void delete(Person entity); }
It is important that you override both delete methods as the exporter currently uses a somewhat naive algorithm for determing which CRUD method to use in the interest of faster runtime performance. It’s not currently possible to turn off the version of delete which takes an ID but leave exported the version that takes an entity instance. For the time being, you can either export the delete methods or not. If you want turn them off, then just keep in mind you have to annotate both versions with exported = false.
Solution 2
As of early 2018, there is now the ability to only expose repository methods explicitly declared for exposure (DATAREST-1176
)
See RepositoryRestConfiguration
A Export false at Type level does not allow overriding with export true at Method level ticket (DATAREST-1034
) was opened, but closed as a duplicate of DATAREST-1176
. Oliver Gierke stated:
I'll resolve this as fixed against the version of DATAREST-1176 for now but feel free to reopen in case there's anything else you need.
They are not exact duplicates and the functionality described in 1034
would have been more user friendly, but there are at least some options now.
Related videos on Youtube
Manglu
I am a seasoned IT architect currently working in the Security and Open Banking (Consumer Data Right in Australia) space. Before working in the Cloud solution space, I had worked in the BPM, Integration and the broader middleware space for over 20 years. My special interest and expertise has been in the IBM middleware products(WebSphere Family of products) and the open source solutions in this space. I was fortunate to start on the Java/JEE and WebSphere journey in the mid 90s and have been riding the key waves in the IT industry over the last 2-3 decades. Life in the IT Wave is fun-filled and I try to share my skills and expertise with the broader community. Consumer Data Right (CDR) is the current wave that I have been riding on for the last couple of years!!
Updated on June 27, 2022Comments
-
Manglu almost 2 years
I want to expose data from a database as Restful APIs in a Spring(SpringBoot) application. Spring Data Rest appears to be an exact fit for purpose for this activity.
This database is read-only for my application needs. The default provides all the HTTP methods. Is there a configuration that I can use to restrict (in fact prevent) the other methods from being exposed?
-
Alan Hay about 7 yearsThe most convenient way would be to use Spring security to block everything other than GET requests. SDR does provide functionality in this area: docs.spring.io/spring-data/rest/docs/current/reference/html/… however handling at the HTTP level via Spring Security is simpler.
-
-
Snekse over 6 yearsIf you are reading this, you should think about up voting this ticket. SDR can be dangerous. jira.spring.io/browse/DATAREST-1034
-
pitchblack408 almost 6 yearsIs this still true with sping boot 2.0.2.RELEASE?
-
pitchblack408 almost 6 yearsI am using JpaRepository. When I try to override void delete(Long id); I get an error message, "Method doe not override method from its super class" . What should I do in my case?
-
Beezer almost 6 yearsdoes not work for me...boot, data rest 1.5.4 RELEASE.
-
Hamid Mohayeji almost 5 yearsCould you please explain how this is possible? I can't find it anywhere.
-
Snekse almost 5 years@HamidMohayeji This may not entirely answer your question, but the
ExposureConfiguration
is probably the most correct way to configure this. Customizing default exposure docs.spring.io/spring-data/rest/docs/current/reference/html/… * ExposureConfiguration* docs.spring.io/spring-data/rest/docs/current/api/org/… -
Snekse almost 5 years@HamidMohayeji If the above comment fails, then getting a handle on the
RepositoryRestConfiguration
and setting therepositoryDetectionStrategy
might be an option. You can search that class for usage ofexpose
as well as there are several options for changing default exposure. There may be spring boot properties to adjust these things. -
Lubo over 4 yearsSee @Snekse answer and use
RepositoryRestConfiguration.disableDefaultExposure()
and its documentation to export only explicitly marked repos/methods. -
Felipe Desiderati over 4 yearsAlso answered here: stackoverflow.com/a/59741296/8650621
-
arxakoulini almost 4 yearsWhat if you want to to use JpaRepository, will it still work?
-
Snekse almost 4 years@nikiforos There's one way to find out 🙂
-
IPP Nerd over 3 yearsdon't forget to disable deleteAll() ;-)