Spring Data REST 代码审计指南<\/h1>

0. 概述<\/h2>
Spring Data REST 是建立在 Data Repository 之上的框架，能够直接将 repository 以 HATEOAS 风格暴露为 Web 服务，无需手动编写 Controller 层。本指南将深入分析 Spring Data REST 的工作原理和安全风险。<\/p>

1. 请求路径组成<\/h2>

1.1 基础路径配置<\/h3>

默认根路径为 \/<\/code>，可通过以下方式修改：<\/p>


配置文件方式：<\/li>
<\/ol>
spring.data.rest.basePath=\/api
<\/code><\/pre>

编程方式（高版本）：<\/li>
<\/ol>
@Configuration<\/span>
<\/span><\/span>class<\/span> CustomRestMvcConfiguration<\/span> {<\/span>
<\/span><\/span>    @Bean<\/span>
<\/span><\/span>    public<\/span> RepositoryRestConfigurer repositoryRestConfigurer<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> new<\/span> RepositoryRestConfigurer()<\/span> {<\/span>
<\/span><\/span>            @Override<\/span>
<\/span><\/span>            public<\/span> void<\/span> configureRepositoryRestConfiguration<\/span>(<\/span>RepositoryRestConfiguration config,<\/span> CorsRegistry cors)<\/span> {<\/span>
<\/span><\/span>                config.<\/span>setBasePath<\/span>(<\/span>"\/api"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>1.2 路径类型<\/h3>
示例 Repository：<\/p>
@RepositoryRestResource<\/span>(<\/span>path =<\/span> "tenantPath"<\/span>)<\/span>
<\/span><\/span>public<\/span> interface<\/span> TenantRepository<\/span> extends<\/span> CrudRepository<<\/span>Tenant,<\/span> Long><\/span> {<\/span>
<\/span><\/span>    Page<<\/span>Tenant><\/span> findAllByNameContaining<\/span>(<\/span>String name,<\/span> Pageable page);<\/span>
<\/span><\/span>    Page<<\/span>Tenant><\/span> findAllByIdCardContaining<\/span>(<\/span>String idCard,<\/span> Pageable page);<\/span>
<\/span><\/span>    
<\/span><\/span>    @RestResource<\/span>(<\/span>path =<\/span> "mobile"<\/span>,<\/span> rel =<\/span> "mobile"<\/span>)<\/span>
<\/span><\/span>    Tenant findFirstByMobile<\/span>(<\/span>String mobile);<\/span>
<\/span><\/span>    
<\/span><\/span>    @RestResource<\/span>(<\/span>exported =<\/span> false<\/span>)<\/span>
<\/span><\/span>    Tenant findFirstByIdCard<\/span>(<\/span>String idCard);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>路径类型包括：<\/p>

仓库路径(Repository Path)<\/strong>：如 \/tenants<\/code> 或 \/tenantPath<\/code><\/li>
实体资源路径(Entity Resource Path)<\/strong>：如 \/tenants\/1<\/code><\/li>
查询路径(Search Path)<\/strong>：如 \/tenants\/search\/findAllByNameContaining<\/code><\/li>
关系路径(Association Path)<\/strong>：如 \/tenants\/1\/address<\/code><\/li>
Profile 路径<\/strong>：\/profile<\/code> 提供服务器元信息<\/li>
<\/ul>
2. 请求解析过程<\/h2>
2.1 处理流程<\/h3>


请求由 DispatcherServlet<\/code> 处理<\/p>
<\/li>

使用 DelegatingHandlerMapping<\/code> 委托给：<\/p>

RepositoryRestHandlerMapping<\/code><\/li>
BasePathAwareHandlerMapping<\/code><\/li>
<\/ul>
<\/li>

主要处理以下注解的类：<\/p>
<\/li>
<\/ol>
@RepositoryRestController<\/span> \/\/ 处理仓库相关请求
<\/span><\/span><\/span><\/span>@BasePathAwareController<\/span> \/\/ 处理基础路径相关请求
<\/span><\/span><\/span><\/code><\/pre>2.2 详细解析示例<\/h3>
以 \/tenantPath\/search\/findAllByIdCardContaining<\/code> 请求为例：<\/p>

RepositoryRestHandlerMapping#getHandlerInternal<\/code> 获取 handler<\/li>
初始化请求路径（考虑 PathPattern 解析器）<\/li>
从请求头获取 Accept<\/code> 值并处理<\/li>
匹配 RequestMappingInfo<\/code> 对象<\/li>
获取 repositoryLookupPath<\/code>（处理 baseUri）<\/li>
获取 RepositoryBasePath<\/code><\/li>
检查路径是否匹配 metadata<\/li>
创建 PathPattern<\/code> 并设置到请求属性<\/li>
最终映射到 RepositorySearchController#executeSearch<\/code><\/li>
<\/ol>
2.3 与 Spring Web 的区别<\/h3>

不使用 RequestMappingHandlerMapping<\/code>，而是使用专门的 REST 处理器映射<\/li>
路径处理：

支持尾部额外 \/<\/code>（会被剔除）<\/li>
不支持<\/strong> URL 编码路径（如 \/%7Brepository%7D\/search\/%7Bsearch%7D<\/code> 会返回 404）<\/li>
<\/ul>
<\/li>
<\/ol>
3. 安全风险与防护<\/h2>
3.1 ALPS 文档信息泄露<\/h3>
风险<\/strong>：<\/p>

默认暴露 ALPS 文档（\/profile<\/code>）<\/li>
包含资源、属性、关系和操作等元信息<\/li>
<\/ul>
防护措施<\/strong>：<\/p>
@Configuration<\/span>
<\/span><\/span>public<\/span> class<\/span> CustomRestMvcConfiguration<\/span> {<\/span>
<\/span><\/span>    @Bean<\/span>
<\/span><\/span>    public<\/span> RepositoryRestConfigurer repositoryRestConfigurer<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> new<\/span> RepositoryRestConfigurer()<\/span> {<\/span>
<\/span><\/span>            @Override<\/span>
<\/span><\/span>            public<\/span> void<\/span> configureRepositoryRestConfiguration<\/span>(<\/span>RepositoryRestConfiguration config,<\/span> CorsRegistry cors)<\/span> {<\/span>
<\/span><\/span>                config.<\/span>getMetadataConfiguration<\/span>().<\/span>setAlpsEnabled<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 端点暴露控制<\/h3>
防护方法<\/strong>：<\/p>

接口级别禁用：<\/li>
<\/ol>
@RepositoryRestResource<\/span>(<\/span>exported =<\/span> false<\/span>)<\/span>
<\/span><\/span>public<\/span> interface<\/span> SensitiveRepository<\/span> extends<\/span> CrudRepository<<\/span>Sensitive,<\/span> Long><\/span> {}<\/span>
<\/span><\/span><\/code><\/pre>
方法级别禁用：<\/li>
<\/ol>
@RestResource<\/span>(<\/span>exported =<\/span> false<\/span>)<\/span>
<\/span><\/span>Tenant findFirstByIdCard<\/span>(<\/span>String idCard);<\/span>
<\/span><\/span><\/code><\/pre>
安全配置建议：<\/li>
<\/ol>

使用 MvcRequestMatcher<\/code> 而非 AntPathRequestMatcher<\/code><\/li>
获取完整路径的方式：<\/li>
<\/ul>
PathPattern pathPattern =<\/span> (<\/span>PathPattern)<\/span> request.<\/span>getAttribute<\/span>(<\/span>
<\/span><\/span>    "org.springframework.data.rest.webmvc.RepositoryRestHandlerMapping.EFFECTIVE_REPOSITORY_RESOURCE_LOOKUP_PATH"<\/span>);<\/span>
<\/span><\/span>String requestPath =<\/span> pathPattern.<\/span>getPatternString<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>3.3 敏感数据暴露<\/h3>
防护措施<\/strong>：<\/p>

使用投影(Projections)控制返回字段<\/li>
避免暴露实体所有字段<\/li>
<\/ol>
3.4 拒绝服务(DoS)<\/h3>
防护措施<\/strong>：<\/p>

限制查询返回结果数量<\/li>
配置合适的分页和排序<\/li>
<\/ol>
3.5 其他风险<\/h3>

SQL 注入：需审计 Repository 方法<\/li>
权限控制：确保适当鉴权<\/li>
<\/ol>
4. 最佳实践<\/h2>

禁用不必要的 ALPS 文档<\/li>
严格控制暴露的端点<\/li>
使用投影保护敏感数据<\/li>
实现适当的分页限制<\/li>
使用 MvcRequestMatcher<\/code> 进行路径匹配<\/li>
定期审计 Repository 方法安全性<\/li>
<\/ol>
通过遵循这些指南，可以显著提高 Spring Data REST 应用的安全性，减少潜在的安全风险。<\/p>

Spring Data REST 代码审计指南<\/h1>

0. 概述<\/h2> Spring Data REST 是建立在 Data Repository 之上的框架，能够直接将 repository 以 HATEOAS 风格暴露为 Web 服务，无需手动编写 Controller 层。本指南将深入分析 Spring Data REST 的工作原理和安全风险。<\/p>

1. 请求路径组成<\/h2>

2. 请求解析过程<\/h2>

3. 安全风险与防护<\/h2>

0. 概述<\/h2>
Spring Data REST 是建立在 Data Repository 之上的框架，能够直接将 repository 以 HATEOAS 风格暴露为 Web 服务，无需手动编写 Controller 层。本指南将深入分析 Spring Data REST 的工作原理和安全风险。<\/p>