usually these things are done with tokens. those. at the first request, the client is identified in the system and receives a unique token ( number \ string \ hash ) and all subsequent messages are already sent with this token and its rights and capabilities are determined based on it.
if possible, I would look towards spring-ws and spring-security. they are more or less successful in trying to provide a convenient api for all this. and work almost out of the box. but I doubt the feasibility.

For example, you can create a createdBy or owner field to store the user who created the document. And when you try to access someone else's document, return status 403.
In order to transfer user data, you can either use a cookie or pass username / password in each request.

User login to the system should be done through a ready-made framework. I am using Apache Shiro. It's definitely not worth writing something of your own for authorization.
Checking if a document belongs to a user can be done through the user ID (PK in the database, for example): when creating a document, write the user ID to the document, and when changing/deleting the document, compare the current user ID and the user ID stored in the document. When using Shiro, getting the current user is not a problem.