Currently, the endpoints are served from /. Since the service has to run in the common infrastructure along with other avni services, define the base path for all the endpoints.
Protect the URLs so that they can be accessed only by users who are authenticated. (WebSecurityConfig.java and using the role annotation). Some URLs are protected and some are not. Review needs to be done and then protected.