I want to create a multi user api, where users log in to a restful service and have their own space for say a booking class. Bookings are not shared between users.

I'm struggling to understand what the best pattern is to create this, while utilizing as much as possible of the magic of spring boot.

I'm using Spring Boot JPA and defining a User and Booking class with @Entity.

My booking then references this user class. However is there a way I can use @RepositoryRestResource or a similar annotation to automatically isolate data models for each user then use Spring Security to secure the CRUD endpoint or do I need to create my own @RestResponse that looks up users based on their Authorization and then create a findByUser method to perform the isolation?

(note i'm new to Spring, Spring Boot etc)

Edit: it's been suggested I look into ACLs, but i'm struggling to find good SIMPLE resources explaining how they work

If you really have isolated data for each user and you want a transparent mechanism to be able to select or update only the data you are allowed to see you should look T eclipselink's multitenancy support.

http://wiki.eclipse.org/EclipseLink/Development/Indigo/Multi-Tenancy

Here is a question with accepted answer about setting this up in spring-data-jpa Multi tenancy with spring data jpa and eclipselink

Also hibernate seems to have support for multitenancy http://docs.jboss.org/hibernate/orm/5.0/userGuide/en-US/html_single/#d5e3197

But keep in mind that queries on multitenancy enabled entities are then always filtered by the tenant id - so the separation is quite strict.