I'm using Django with DRF-Spectacular and swagger-ui.
I'm interested in how can I disable expanding of Schema (only a single schema related to tokens) so it's only showing endpoint.
To only show a subset of endpoints in the schema you have 2 options:
In urls.py use SpectacularAPIView(urlconf=YOUR_SUBSET_OF_URLPATTERNS)
Write a preprocessing hook that filters out endpoints that you don't want to expose.
Related
I'm using combination of various Spring components - Boot (2.3), Data, Data REST, Springdoc. In my model objects I use auditing - I annotate some fields with #CreatedBy, #CreatedDate etc. I would like to disable possibility to set value of those audit fields through REST API. At the same time, I want this information to be available when retrieving data.
Seems like quite obvious thing to do, but I'm unable to find a way to do this. By default I can easily provide those values in API calls and see them persisted.
Ideally, such configuration change would be visible also in OpenAPI spec generated by Springdoc (in model of request).
So it turns out that I'm silly :)
So my error was that authentication and authorization was disabled at that time. Once enabled, I wasn't able to provide values for createdBy and other fields as they were just getting overridden with correct values.
When it comes to OpenAPI specification, I had to annotate fields with:
#Schema(accessMode = Schema.AccessMode.READ_ONLY)
from io.swagger.v3.oas.annotations.media.Schema;. This resulted in correct info. See Swagger view:
I guess the problem comes from your bad design. Please consider your design is correct or not. I guess in your design, besides Spring Data REST endpoints (APIs), there are other code which can create and update your object and save to database.
You question has nothing to do with Spring Data REST. Audit fields annotated with #Createdxx and #LastModifiedxx is auto updated by Spring Data repository, and Spring Data REST just calls the Spring Data repository to persist data.
Answer below two questions helps clarify your design.
Question 1:
If you want to keep create (POST) endpoints which are created by Spring Data REST by default, and you don't want audit fields annotated with #Createdxx to be set, then what code is responsible to set those audit fields?
Assume you send a POST request to create an object, do you want createdBy and createdDate to be null? Or would createdBy and createdDate be updated later by other code?
Question 2:
If you want to keep update (PUT/PATCH) endpoints which are created by Spring Data REST by default, and you don't want audit fields annotated with #LastModifiedxx to be updated, then what code is responsible to update those audit fields? And this also results in imcomplete audit (you make update, but lastModified info not updated).
I have a springboot microservice project and I am using graphql. For REST api end points I am aware that we can document using swagger etc.. Graphiql also provides dynamic documentation but is there any other way to create API documentation for the customers who are not so aware of how graphql or Graphiql works.
aaah that might help: You can get (and print) the generated schema programatically:
How to get the generated scheme file .graphqls using SPQR?
It is possible allow auto schema file generation (autoSchemaFile) in nestjs only for one resolver?
I would like to have one autogenerated scheme and rest of is written manually.
Thank you.
I have multiple closely related problems in Spring Security. I am developing using Spring Boot and am using Spring Data REST for creating REST endpoints directly from my repositories.
I have multiple entities and the requirement is to have all these entities as REST endpoints. I am letting spring-data-rest handle the creation of these endpoints and I am securing these endpoints by adding #PreAuthorize and #PostAuthorize to the entity repository methods as and where required. This works great when I am calling an endpoint like /entity/id.
But I am facing issues from here. Let's say I have 2 entities, Entity1 and Entity2 and they have a One to One relationship. Spring data rest allows me to fetch the related Entity2 data from Entity1 like /entity1/id/entity2. But I have different access rights over Entity1 and Entity2 and calling the above endpoint only checks the access rights as set up in the repository for Entity1 only. So, if a user has access to Entity1 table and no access to Entity2 table, he can still see some Entity2 data via the foreign key relationship of Entity1. Is this a correct design?
Moreover we have some custom API endpoints wherein we have to aggregate data from multiple entity repositories. Also, these endpoints themselves have to secured. So, I am using a #PreAuthorize over an endpoint method. This works as expected and the endpoint method is called only when the expression is valid. But, when a repository method is called (via a service class of course), the #PreAuthorize over that repository method is also evaluated. I would like to have the check done with at the beginning. Is it possible to do so?
Any suggestions to improving the design is also welcome.
There is no simple solution without massively modifying/overriding lots of default Spring DataRest features. I'm working such a package for years now and it's working quite well for me.
Although switching to this package might be a bit overkill for you, it could worth the trouble in the long run because it also a fixes a lot of problem you will meet only months later.
you can set up permisison rules via annotation directly in the domain objects.
it checks the permisisons in the DB side, so the traffic between the API and DB is heavily decreased (Only those objects are fetched form the DB which the current user has permission to)
you can set READ/UPDATE/DELETE/CREATE permissions separately for roles and/or certain users
you can use pagination on permission filtered collection
you can use pagination on property-collections too
(+ some extra features like flexible search on multiple properties)
here is the package (It's an extension of Spring Data JPA / Data Rest)
How does spring security support dynamic role & permission? For example, the role can be generated at runtime by end users. Each role can include multiple permissions which can be created/updated at runtime. Each permission is base on criteria like delete topic if no activity for 3 months. The ACL of spring security can't support it since records of acl_entry are static instead of dynamic. How to customize spring security to support such requirement?
Spring Security 3 supports expression based authorization: it allows you to express secuirty constraints as arbitrary expressions in Spring Expression Language. By default you can use methods of SecurityExpressionRoot in these expressions.
However, you can add your own methods by customizing MethodSecurityExpressionHandler.createEvaluationContext(), so that you can define arbitrary criteria and use them in these expressions. Also see What's the difference between #Secured and #PreAuthorize in spring secu 3 ?.