Spring Data REST - do not allow to return entities but only views (projections)

Question

My objective is to make sure that a client can't access (retrieve) directly an entity through the Spring Data REST auto-exposed APIs, but rather only to the views (JPA's projections) of those entities.

So far I've managed to achieve it only for the APIs that return a collection of entities (such as findAll() ) by using the @RepositoryRestResource(excerptProjection = CustomerView.class) annotation on the repository.

How to configure Spring Data REST so that it does the same also for endpoints that retrieve a specific entity? such as /api/v1/customers/1

Answer 1

See Why is an excerpt projection not applied automatically for a Spring Data REST item resource?

If you want to apply projection to a specific entity (that is, item resource), set the uri template variable projection to construct a url path /api/v1/customers/1?projection=customerView. The name customerView is what is set in the annotation @Projection. see the doc https://docs.spring.io/spring-data/rest/docs/current/reference/html/#projections-excerpts.projections

Edit after clarify with Macro:
Macro wants to hide some sentitive fields such as password. Then the jackson annotation @JsonIgnore should be added to the sentitive fields to hide them from response json.