HAL API - mountpoint path was overiden by _scope param

We have multiple channels and we expect to secure one of the channel.
Need to restrict channelX at path (/content/documents/channel-x) and channelY as public visible.
After enabling hal-api, secured channelY was exposed with _scope param.
Mountpoint restriction was not working as expected.

Is this intentially done. Can someone help on this.

Ex: http://localhost:8081/site/halapi/documents?_scope=/content/documents/channely
expected scenario was is shouldn’t expose this folder documents.

How exactly did you secure channel Y, by hst:authenticated config I guess?

HAL doesn’t look at that, it looks just directly at the content.
You could override GenericHalApiDocsResource#getScopeNode are do a Spring reconfiguration to get your customization in. Or protect the content by security domains, probably need changing the user session for HAL too.


Hi Jeroen,

Thanks, we restricted by customizing valve implementation approach.

With this approach we can’t return JSON response based on Custom Exception/ WebApplicationException. It gives only ContainerException rather than WebApplicationExceptionMapper impl.