I'm developing a basic CRUD web application using React and Spring. Since the frontend isn't ready yet, I'm using Postman for testing. I have this method, but I just discovered that anyone can send an HTTP request and get all the data, as long as they know the id.
@PostMapping("/utente")
public ResponseEntity<Object> getDatiProfiloUtente(@RequestBody final Long idUtente){
HashMap<String, Object> map = new HashMap<>();
Paziente paziente = service.findPazienteById(idUtente);
map.put("nome", paziente.getNome());
map.put("cognome", paziente.getCognome());
map.put("email", paziente.getEmail());
map.put("nTelefono", paziente.getNumeroTelefono());
map.put("emailCaregiver", paziente.getEmailCaregiver());
map.put("nomeCaregiver", paziente.getNomeCaregiver());
map.put("cognomeCaregiver", paziente.getCognomeCaregiver());
return new ResponseEntity<>(map, HttpStatus.OK);
}
How do I provide security? I want only logged in users to be able to view their own data.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
You want to use the
@Securedannotations provided by Spring Security, this baeldung article is a good resource that explains in detail how to set up your desired method safety.