Spring security allows us to secure the API endpoints by using Roles.
In my example, users in a specific role should not be able to see the data for other users in the same role. Only Admin is allowed to do that. So if somebody is in a 'USER' role, Spring security allows me to secure the api endpoint and only allow the USER role access to /users. If the user with id=1 is logged on, they should not be able to see data belonging to user with id=2, but if they type /users/2 in the browser, Spring security will not restrict them. So we will need to add logic to the code in the controller or service and check the currently logged in user and compare that to the id in the querystring. If they don't match, a custom exception needs to be thrown forbidding the action.
Is this how it is normally done in Spring or is there another canned approach that the spring framework provides to handle this scenario? I only have a few months of experience with Spring boot. So I apologize if the question comes across as trivial.