Spring Security Spring boot application with spring security exposes the login info from 'users' table by going to domain.com/users

Describe the bug I have a sample spring boot application, which has Web/Rest/H2/Hibernate/DevTool and trying to get all working so I can play with OAuth 2, and have created the 'users' and 'authorities' tables (per description on Spring.io website) in the H2 in memory DB, and built the entity java files (Users.java and Authorities.java) and their CrudRepositoy stuff, added default security in and realized that I can simply go to http://localhost:8090/users and all my user table info is displayed which is a problem.

To stop this default bad behavior I have added the following security filter.

http.authorizeRequests().antMatchers("/users", "/users/", "/groups", "/groups/", "/profile", "/profile/").denyAll();

To Reproduce 1 - Create a Spring Boot with spring security, web, rest and h2, 2 - Create tables using schemas (https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/appendix-schema.html) 3 - Create Users.java and Authorities.Java entity files 4 - Create CrudRepositoy for each entity above 5 - go to your url (e.g. http://localhost:8090/users)

Expected behavior All the information from the user table is listed. in your browser

_embedded   
users   
0   
firstname   "Jon"
lastname    "Smith"
username    "jon1"
password    "$2a$10$k4.ilzDlkE2PIqSBuF3jv.u4GWmt2AmpzAUQSd8FoPenFGNBRb.yG"
enabled true
created "2022-02-21T13:26:01.223265-05:00"
updated "2022-02-21T13:26:01.223639-05:00"
who "javaApp"
comment "test123@"
_links  
self    
href    "http://localhost:8090/users/1"
users   
href    "http://localhost:8090/users/1"
_links  
self    
href    "http://localhost:8090/users"
profile 
href    "http://localhost:8090/profile/users"
search  
href    "http://localhost:8090/users/search"

Sample https://github.com/AtlantaKid/SpringSecuritySample.git use userid of 'jon1' and password of 'test123@' to login Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

Comment From: jgrandja

@AtlantaKid The UsersRepository is accessible via REST since it's exposed using Spring Data's @RepositoryRestResource. See UsersRepository and AuthoritiesRepository.

Remove the @RepositoryRestResource from all entities that expose sensitive information or ensure you correctly secure those endpoints.

I'll close this based on application misconfiguration.