I'm developing a basic CRUD web application using React and Spring. Since the frontend isn't ready yet, I'm using Postman for testing. I have this method, but I just discovered that anyone can send an HTTP request and get all the data, as long as they know the id.
@PostMapping("/utente") public ResponseEntity<Object> getDatiProfiloUtente(@RequestBody final Long idUtente){ HashMap<String, Object> map = new HashMap<>(); Paziente paziente = service.findPazienteById(idUtente); map.put("nome", paziente.getNome()); map.put("cognome", paziente.getCognome()); map.put("email", paziente.getEmail()); map.put("nTelefono", paziente.getNumeroTelefono()); map.put("emailCaregiver", paziente.getEmailCaregiver()); map.put("nomeCaregiver", paziente.getNomeCaregiver()); map.put("cognomeCaregiver", paziente.getCognomeCaregiver()); return new ResponseEntity<>(map, HttpStatus.OK); }
How do I provide security? I want only logged in users to be able to view their own data.
You want to use the
@Secured
annotations provided by Spring Security, this baeldung article is a good resource that explains in detail how to set up your desired method safety.