Spring Boot, Spring Security - Prevent direct URL query of MongoDB

So, I'm working on a Spring Boot Web App that utilizes Spring Security for login authentication. Currently, we have three types of users who get redirected to the appropriate dashboard and when they try to access the other dashboards through a direct URL, they are denied access. Any unauthenticated user is also denied access to the rest of the site. While testing, I had found that once a user had successfully been authenticated, if they were to use a direct URL to "/", or localhost:8080 for testing, instead of being redirected to the login page as they would when not authenticated, a JSON with information of our tables in our MongoDB instance would be returned. Worse, if they appended a table name to the URL, they would receive the entire table in JSON form.

Example: http://localhost:8080/premios (Currently holding dummy values)

{
  "_embedded" : {
    "premios" : [ {
      "title" : "hdlkfjgd",
      "description" : "dflgkj",
      "points" : 20,
      "enabled" : false,
      "_links" : {
        "self" : {
          "href" : "http://localhost:8080/premios/5a013a974833be43fa38dc53"
        },
        "premio" : {
          "href" : "http://localhost:8080/premios/5a013a974833be43fa38dc53"
        }
      }
    }, {
      "title" : "dfdggd",
      "description" : "dfgd",
      "points" : 5,
      "enabled" : false,
      "_links" : {
        "self" : {
          "href" : "http://localhost:8080/premios/5a0a11964833be69a480a901"
        },
        "premio" : {
          "href" : "http://localhost:8080/premios/5a0a11964833be69a480a901"
        }
      }
    }, {
      "title" : "alksksjlkakjf",
      "description" : "sdlkfkjsdlfkj",
      "points" : 5,
      "enabled" : false,
      "_links" : {
        "self" : {
          "href" : "http://localhost:8080/premios/5a0a12b24833be6a6e47a22a"
        },
        "premio" : {
          "href" : "http://localhost:8080/premios/5a0a12b24833be6a6e47a22a"
        }
      }
    } ]
  },
  "_links" : {
    "self" : {
      "href" : "http://localhost:8080/premios{?page,size,sort}",
      "templated" : true
    },
    "profile" : {
      "href" : "http://localhost:8080/profile/premios"
    },
    "search" : {
      "href" : "http://localhost:8080/premios/search"
    }
  },
  "page" : {
    "size" : 20,
    "totalElements" : 3,
    "totalPages" : 1,
    "number" : 0
  }
}

How can I prevent this? Is this due to how I have Spring Security set up, or something I need to do on our mLab to only allow controllers on the backend to make queries? The above premios URL is not a defined request method in any of our controllers so I'm not sure why it's working. Here's how it's configured:

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private SimpleAuthenticationSuccessHandler successHandler;

    @Autowired
    public void configureGlobal(
            AuthenticationManagerBuilder auth,
            CustomUserDetailsService userDetailsService) throws Exception {
        auth
          .userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http)
            throws Exception {
        http
          .csrf().disable()
          .authorizeRequests()
            .antMatchers("/css/**", "/js/**", "/images/**", "/script/**").permitAll()
            .antMatchers("/signup").permitAll()
            .antMatchers("/webapp/admin").hasRole("ADMIN")
            .antMatchers("/webapp/sales").hasRole("SALES")
            .antMatchers("/webapp/business").hasRole("USER")
            .anyRequest().authenticated()
            .and()
          .formLogin()
            .successHandler(successHandler)
            .loginPage("/login")
            .permitAll()
            .and()
          .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher(("/logout")))
            .logoutSuccessUrl("/login")
            .permitAll();
    }
}

SimpleAuthenticationSuccessHandler.java

@Component
public class SimpleAuthenticationSuccessHandler implements AuthenticationSuccessHandler{

    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest,
                                        HttpServletResponse httpServletResponse,
                                        Authentication authentication) throws IOException, ServletException {

        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
        authorities.forEach(authority -> {
            if(authority.getAuthority().equals("ROLE_ADMIN")) {
                try {
                    redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, "/webapp/admin");
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
            else if(authority.getAuthority().equals("ROLE_SALES")) {
                try {
                    redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, "/webapp/sales");
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
            else if(authority.getAuthority().equals("ROLE_USER")) {
                try {
                    redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, "/webapp/business");
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
            else {
                throw new IllegalStateException();
            }
        });
    }
}

Maybe, it's something to do with the success handler? I'm new to using Spring Boot and building a Web App so any help is much appreciated!