排除 Spring-data-rest 资源的部分字段 [英] Exclude some fields of Spring-data-rest resource

问题描述

我正在尝试使用 Spring-data-rest 和 spring-data-mongodb 来公开只读资源.

I'm trying to use Spring-data-rest with spring-data-mongodb to expose read-only resources.

我遇到的问题是，我想对我的文档有不同的看法.假设我在文档中有一些私人信息，我不想公开它们.

The problem I met, is that I want to have different views of my documents. Let's say I have some private information in a document, I don't want to expose them publicly.

所以我尝试了几种方法.我读了这篇文章 https://spring.io/blog/2014/12/02/latest-jackson-integration-improvements-in-spring 描述了如何使用 JsonView 来选择我们想要公开的字段.

So I tried several ways. I read this post https://spring.io/blog/2014/12/02/latest-jackson-integration-improvements-in-spring describing how to use JsonView in order to select the fields we want to expose.

我试过这样:

@RepositoryRestResource(collectionResourceRel = "recommandation", path =    "recommandations")
interface RecommandationRepository extends MongoRepository<Recommendation,   ObjectId> {

@Override
@JsonView(View.Public.class)
Iterable<Recommendation> findAll(Iterable<ObjectId> objectIds);
... // other find methods
}

它不起作用.然而，在评论中说:https://spring.io/blog/2014/12/02/latest-jackson-integration-improvements-in-spring#comment-1725671983答案建议使用@Projections但是@Projections 会产生这样的网址:.../recommandations{?projection}"这意味着投影只是一个选项，所以完整的对象仍然是暴露的.

It doesn't works. It is however said in the comments : https://spring.io/blog/2014/12/02/latest-jackson-integration-improvements-in-spring#comment-1725671983 The answer suggests to use @Projections However @Projections result in url like that : "…/recommandations{?projection}" It means that the projection is just an option, so the full object is still exposed.

这里描述了另一种方法https://github.com/spring-projects/spring-data-rest/wiki/Configuring-the-REST-URL-path它建议对我们不想公开的字段使用 @RestResource(exported = false) 注释.

There is another method described here https://github.com/spring-projects/spring-data-rest/wiki/Configuring-the-REST-URL-path It suggests to use @RestResource(exported = false) annotation for the fields we don't want to expose.

但它不灵活.如果我想公开一个公共只读 API 和一个私有完全访问 API.不能为每个 api 禁用此注释.

But it's not flexible. If I want to expose a public read-only API and a private full access API. This annotation can't be disabled per api.

还有其他建议吗?

推荐答案

重要的一点是 Spring Data REST 使用基于域对象的 Jackson 序列化参数，而不是存储库定义.一种在 JSON 中隐藏特定字段的简单方法如下:

The important point is that Spring Data REST uses Jackson serialization parameters based on the domain object, not the repository definition. One simple way to hide a particular field from appearing in the JSON is like this:

@Entity
public class User {

    @Id @GeneratedValue
    private Long id;

    private String name;

    @JsonIgnore
    private String password;
    ...

在此示例中，无论如何使用该实体，我的 User 对象都不会导出密码字段.Jackson 支持把这个放到场上，或者放到相应的 getter 方法上.

In this example, my User object will NEVER export a password field no matter how this entity is used. Jackson supports either putting this on the field, or putting on the corresponding getter method.

当您将 @JsonIgnore 放入域模型时，它会使其成为默认定义.投影是改变渲染字段的选项.看下面的例子:

When you put @JsonIgnore in the domain model, it makes it the default definition. Projections are options to alter what fields get rendered. Look at the following example:

@Projection(name = "noImages", types = {Item.class})
public interface NoImages {

    public Link getHtmlUrl();

}

此项目只能在渲染Item 域对象时使用.它不是默认视图，而是通过 ?projection=noImages 使用的一个选项.但不要忘记:当需要应用 Jackson 序列化时，项目将覆盖域模型的设置.这意味着您可以为上面的 User 对象编写一个投影，并让它包含 String getPassword().这将覆盖域模型的默认设置，进而导出密码.责任在你.

This project can only be used when rendering Item domain objects. It isn't the default view, but instead an option to use via ?projection=noImages. But don't forget: when it comes time to apply Jackson serialization, the project will override the domain model's settings. This means you can write a projection for that User object up above and have it include String getPassword(). This would override the domain model's default setting an in turn export a password. Responsibility is yours.

最后一件事.Spring Data REST 支持摘录投影.最常见的用例是您有一个与 Address 对象相关的 Customer 对象.默认情况下，查看客户地址的关系将显示要导航的 URI.但是，如果您一直都需要地址信息，则可以通过创建呈现地址详细信息的投影来避免这种额外的 GET 操作.然后，您可以为 Customer 对象配置它，默认情况下打开此投影，并在获取客户记录时基本上内联地址详细信息.

One last thing. Spring Data REST supports Excerpt Projections. The most common use case is where you have a Customer object related to an Address object. By default, the relationship to see a customer's address would show a URI to navigate. But if you are wanting the address information all the time, you can avoid this extra GET operation by creating a projection that renders the address details. Then you can configure that for Customer objects, turn on this projection by default and essentially inline the address details whenever you fetch a customer record.

我意识到参考文档在所有这些细节上都不是最新的.您可以跟踪我们的进度以适当地更新文档，如下所示:

I realize the reference docs aren't quite up to date on all these details. You can track our progress to update the docs suitably as follows:

• https://jira.spring.io/browse/DATAREST-449
• https://jira.spring.io/browse/DATAREST-450
• https://jira.spring.io/browse/DATAREST-451
• https://jira.spring.io/browse/DATAREST-452
• https://jira.spring.io/browse/DATAREST-453
• https://jira.spring.io/browse/DATAREST-454

还有一个错误，就是 Spring Data REST 的 ALPS 元数据也需要过滤掉标有 @JsonIgnore 的域字段(参见 https://jira.spring.io/browse/DATAREST-463)

There is also a bug in that the ALPS metadata from Spring Data REST also needs to filter out domain fields tagged with @JsonIgnore (see https://jira.spring.io/browse/DATAREST-463)

附言@RestResource 已弃用，并且不是设置导出哪些字段的推荐方法.相反，使用 @JsonIgnore，如前所述.

P.S. @RestResource is deprecated and not the recommended approach to setting what fields get exported. Instead, use @JsonIgnore as shown earlier.

这篇关于排除 Spring-data-rest 资源的部分字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！