Upgrading my MS from Spring Boot 2.7 to 3.0, i've noticed that entities are exposed even i 'hide' and scan only controller package which contains only APIs,
for an entity Customer i could invoke all CRUD actions !
http://localhost:8093/customerEntities/7308 GET / PUT /POST
properties ::
springdoc:
paths-to-match: /v1/**
packages-to-scan: a.b.c.controller // only APIs
this could hide entity endpoints from Swagger BUT i could fetch them with url directly.
So how to eliminate those entities endpoint ?
some information :
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.0.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.1.0</version>
</dependency>
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-common</artifactId>
<version>1.6.15</version>
<scope>compile</scope>
</dependency>
You can try configuring the setExposeRepositoryMethodsByDefault to false and check.
Sample code snippet:
@Configuration
public class AppRepositoryConfig implements RepositoryRestConfigurer {
@Override
public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config, CorsRegistry cors) {
config.setExposeRepositoryMethodsByDefault(false);
}
}