Uploaded image for project: 'Spring Data REST'
  1. Spring Data REST
  2. DATAREST-1176

Add ability to only expose repository methods explicitly declared for exposure

    XMLWordPrintable

    Details

      Description

      The currently available detection strategies in SDR only allow to restrict REST repositories on class level. So when a Repository is exported, all of its methods are exported, too. Only by using RestResource(exported = false), you can prevent SDR from exporting a given method.

      We identified in our project, that there is a certain security risk in that case. Developers are not always aware of all the methods that are automatically exported via REST by the application. By simply adding new Repositories and just wanting a findAll()-method to be publicly available, even save and delete methods are exported by default. As most applications want to apply security especially on the write methods, an additional "pessimistic" strategy can be useful in Spring. That way you can still profit from all the benefits SDR provides, but you can be sure, that only methods you explicitly added and annotated with @RestResource are exported.

      The following example shows how the exporting with the new strategy should work:

      @RepositoryRestResource
      interface PersonRepository extends Repository<Person, Long> {
      
        @RestResource
        Iterable<Person> findAll();
      
        Iterable<Person> findByFirstname(@Param("firstname") String firstname);
      }
      

      In that case, only the findAll() method is exported via REST. The findByFirstName and all CRUD methods like save or delete are not exported via REST by default. They have to be added explictily and annotated with @RestResource if they shall be exported via REST.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              olivergierke Oliver Drotbohm
              Reporter:
              TobiasWeiss Tobias Weiss
              Last updater:
              Oliver Drotbohm
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: