0

I recently started learning the sping-boot framework and I'm trying to build a controller to handle users. I created a rest controller as follow:

@RestController
@RequestMapping("/users")
public class UserController {

    @Autowired
    UserRepository userRepository;
    @Autowired
    BCryptPasswordEncoder bCryptPasswordEncoder;

    @PostMapping("/sign-up")
    public void signUp(@RequestBody User user) {
        user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
        userRepository.save(user);
    }
}

and this is the model:

@Entity
@Table(name = "req_user")
public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    private String username;
    @JsonIgnore
    private String password;
    private String email;

    public User() { }

    public User(String username, String password, String email) {
        this.id = null;
        this.username = username;
        this.password = password;
        this.email = email;
    }

    ...

    @JsonIgnore
    public String getPassword() {
        return password;
    }

    @JsonProperty
    public void setPassword(String password) {
        this.password = password;
    }

    ...
}

end this is the repository:

@Repository
public interface UserRepository extends CrudRepository<User, Long> {

    User findByUsername(String username);

}

Now that works fine, but I want to disable some actions that are provided by RestController by default. In particular, I want to inhibit the possibility to view the list of all users and to delete one of them. What is the recommended way to do that?

SimoV8
  • 1,382
  • 1
  • 18
  • 32
  • 1
    RestController doesn't provide those actions. – JB Nizet Dec 21 '17 at 17:27
  • Please explain. The controller is only going to expose methods that you create. – Brian Dec 21 '17 at 17:28
  • 1
    You are mixing up with this perhaps: https://spring.io/guides/gs/accessing-data-rest/. – Brian Dec 21 '17 at 17:28
  • Extending a repository interface (ex. `CrudRepository`, `JpaRepository`) will give you access to those internally, but unless you map a request, and implement the methods of which you reference, you aren't exposing this. I do suggest, as good practice, that you mark `userRepository` and `bCryptPasswordEncoder` as `private`, but again, that isn't exposing anything via HTTP. – Brian Dec 21 '17 at 17:32
  • @Brian yes, I think it is something with the resource you linked, indeed I keep "HATEOAS stuff" in the response like _links and _embedded params. I tried to disable it in the application.properties with `spring.hateoas.use-hal-as-default-json-media-type=false` but it is still the same – SimoV8 Dec 21 '17 at 17:39
  • I don't see any references to HATEOAS in your code. Try looking at the settings I answered with here: https://stackoverflow.com/questions/28330716/how-to-disable-the-default-exposure-of-spring-data-rest-repositories/42905993#42905993. Also, this might help. I know the specific flavor is Mongo, but the pattern applies: https://stackoverflow.com/questions/29169717/how-to-prevent-some-http-methods-from-being-exported-from-my-mongorepository/29280226#29280226 – Brian Dec 21 '17 at 17:46
  • But to be clear, this has nothing to do with the `@RestController` you present in your question, it is with respect to Spring Data Rest, which it sounds like you also have enabled. – Brian Dec 21 '17 at 17:47
  • You're right: adding `spring.data.rest.detection-strategy=annotated` or removing `public` in front of the repository I get a 404 not found error (because by default public repositories are exposed). On the other hand, in this way I also lose access to /api/users/, but maybe it's better to define it myself? – SimoV8 Dec 21 '17 at 17:57
  • @Brian thank you, I've understood my mistake. If you write a response I'll accept it. – SimoV8 Dec 21 '17 at 18:07

0 Answers0