In a Java EE application, there are users (user) each user can create documents (Document)
Access to documents is via JAX-RS.
Before the user will get access to the documents he needs to sign, after which it can make queries of the form example.com/documents
it needs to only access their documents and error if trying to obtain/remove/modify someone else's document.
How to organize the log in user and verify ownership of the document to the user when removing/updating documents?