Description
Tobias Weiss opened DATAREST-1176 and commented
The currently available detection strategies in SDR only allow to restrict REST repositories on class level. So when a Repository is exported, all of its methods are exported, too. Only by using RestResource(exported = false), you can prevent SDR from exporting a given method.
We identified in our project, that there is a certain security risk in that case. Developers are not always aware of all the methods that are automatically exported via REST by the application. By simply adding new Repositories and just wanting a findAll()-method to be publicly available, even save and delete methods are exported by default. As most applications want to apply security especially on the write methods, an additional "pessimistic" strategy can be useful in Spring. That way you can still profit from all the benefits SDR provides, but you can be sure, that only methods you explicitly added and annotated with @RestResource are exported.
The following example shows how the exporting with the new strategy should work:
@RepositoryRestResource
interface PersonRepository extends Repository<Person, Long> {
@RestResource
Iterable<Person> findAll();
Iterable<Person> findByFirstname(@Param("firstname") String firstname);
}In that case, only the findAll() method is exported via REST. The findByFirstName and all CRUD methods like save or delete are not exported via REST by default. They have to be added explictily and annotated with @RestResource if they shall be exported via REST
Issue Links:
- DATAREST-1034 Allow overriding exposure defined at the type level on the method
("is duplicated by") - DATAREST-1268 Support RepositoryDetectionStrategies.EXPLICIT_METHOD_ANNOTATED
Backported to: 3.0.3 (Kay SR3), 2.6.10 (Ingalls SR10)
1 votes, 5 watchers