Our Messages App is a simplified demo application. It doesn't have many features that a typical web application should have. For example, it lacks security checking. Currently, we allow anyone to post messages via the/messages
(POST
) API. A simple fix is to add security check logic inside the API handler, theMessageController.saveMessage()
method, as follows:
public ResponseEntity<Message> saveMessage(@RequestBody MessageData data) { checkSecurity(); ... } private void checkSecurity() throws NotAuthorizedException { // Do security checking ... }
Inside thesaveMessage()
method, we invoke thecheckSecurity()
method immediately and, if the request is not authorized,NotAuthorizedException
will be thrown.