diff --git a/Prototype/server/src/controllers/cabinetController.ts b/Prototype/server/src/controllers/cabinetController.ts
index 344eb82..7e64364 100644
--- a/Prototype/server/src/controllers/cabinetController.ts
+++ b/Prototype/server/src/controllers/cabinetController.ts
@@ -1,4 +1,17 @@
-import { Body, Controller, Delete, Get, Path, Post, Put, Route, SuccessResponse, Tags } from "tsoa";
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Path,
+  Post,
+  Put,
+  Route,
+  Security,
+  SuccessResponse,
+  Tags,
+  Request,
+} from "tsoa";
 import * as Minio from "minio";
 import minioClient from "../storage";
 
@@ -17,12 +30,16 @@ export class CabinetController extends Controller {
 
   @Post("/")
   @Tags("Cabinet")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.CREATED)
-  public async createCabinet(@Body() body: { name: string }) {
+  public async createCabinet(
+    @Request() request: { user: { preferred_username: string } },
+    @Body() body: { name: string },
+  ) {
     const uploaded = await minioClient
       .putObject("ehr", `${body.name}/.keep`, "", 0, {
         createdAt: new Date().toISOString(),
-        createdBy: "SomeUser",
+        createdBy: request.user.preferred_username,
       })
       .catch((e) => console.error(e));
 
@@ -33,6 +50,7 @@ export class CabinetController extends Controller {
 
   @Put("/{cabinetName}")
   @Tags("Cabinet")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT, "Success")
   public async editCabinet(
     @Path() cabinetName: string,
@@ -66,6 +84,7 @@ export class CabinetController extends Controller {
 
   @Delete("/{cabinetName}")
   @Tags("Cabinet")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT)
   public async deleteCabinet(@Path() cabinetName: string) {
     return new Promise((resolve, reject) => {
diff --git a/Prototype/server/src/controllers/drawerController.ts b/Prototype/server/src/controllers/drawerController.ts
index c66dec5..2100bc1 100644
--- a/Prototype/server/src/controllers/drawerController.ts
+++ b/Prototype/server/src/controllers/drawerController.ts
@@ -1,4 +1,17 @@
-import { Body, Controller, Delete, Get, Path, Post, Put, Route, SuccessResponse, Tags } from "tsoa";
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Path,
+  Post,
+  Put,
+  Request,
+  Route,
+  Security,
+  SuccessResponse,
+  Tags,
+} from "tsoa";
 import * as Minio from "minio";
 import minioClient from "../storage";
 
@@ -17,8 +30,13 @@ export class DrawerController extends Controller {
 
   @Post("/{cabinetName}/drawer")
   @Tags("Drawer")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.CREATED)
-  public async createDrawer(@Path() cabinetName: string, @Body() body: { name: string }) {
+  public async createDrawer(
+    @Request() request: { user: { preferred_username: string } },
+    @Path() cabinetName: string,
+    @Body() body: { name: string },
+  ) {
     if (!(await pathExist(`${cabinetName}/`))) {
       throw new HttpError(HttpStatusCode.PRECONDITION_FAILED, "Cabinet cannot be found.");
     }
@@ -26,7 +44,7 @@ export class DrawerController extends Controller {
     const uploaded = await minioClient
       .putObject("ehr", `${cabinetName}/${body.name}/.keep`, "", 0, {
         createdAt: new Date().toISOString(),
-        createdBy: "SomeUser",
+        createdBy: request.user.preferred_username,
       })
       .catch((e) => console.error(e));
 
@@ -39,6 +57,7 @@ export class DrawerController extends Controller {
 
   @Put("/{cabinetName}/drawer/{drawerName}")
   @Tags("Drawer")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT)
   public async editDrawer(
     @Path() cabinetName: string,
@@ -78,6 +97,7 @@ export class DrawerController extends Controller {
 
   @Delete("/{cabinetName}/drawer/{drawerName}")
   @Tags("Drawer")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT)
   public async deleteDrawer(@Path() cabinetName: string, @Path() drawerName: string) {
     return new Promise((resolve, reject) => {
diff --git a/Prototype/server/src/controllers/folderController.ts b/Prototype/server/src/controllers/folderController.ts
index b845972..3d3104d 100644
--- a/Prototype/server/src/controllers/folderController.ts
+++ b/Prototype/server/src/controllers/folderController.ts
@@ -7,7 +7,9 @@ import {
   Post,
   Put,
   Query,
+  Request,
   Route,
+  Security,
   SuccessResponse,
   Tags,
 } from "tsoa";
@@ -39,8 +41,10 @@ export class FolderController extends Controller {
 
   @Post("/{cabinetName}/drawer/{drawerName}/folder")
   @Tags("Folder")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.CREATED)
   public async createFolder(
+    @Request() request: { user: { preferred_username: string } },
     @Body() body: { name: string },
     @Path() cabinetName: string,
     @Path() drawerName: string,
@@ -52,7 +56,7 @@ export class FolderController extends Controller {
     const uploaded = await minioClient
       .putObject("ehr", `${cabinetName}/${drawerName}/${body.name}/.keep`, "", 0, {
         createdAt: new Date().toISOString(),
-        createdBy: "SomeUser",
+        createdBy: request.user.preferred_username,
       })
       .catch((e) => console.error(e));
 
@@ -65,6 +69,7 @@ export class FolderController extends Controller {
 
   @Put("/{cabinetName}/drawer/{drawerName}/folder/{folderName}")
   @Tags("Folder")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT)
   public async editFolder(
     @Body() body: { name: string },
@@ -110,6 +115,7 @@ export class FolderController extends Controller {
 
   @Delete("/{cabinetName}/drawer/{drawerName}/folder/{folderName}")
   @Tags("Folder")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT)
   public async deleteFolder(
     @Path() cabinetName: string,
diff --git a/Prototype/server/src/controllers/subFolderController.ts b/Prototype/server/src/controllers/subFolderController.ts
index a8f518d..0c96cb7 100644
--- a/Prototype/server/src/controllers/subFolderController.ts
+++ b/Prototype/server/src/controllers/subFolderController.ts
@@ -7,7 +7,9 @@ import {
   Post,
   Put,
   Query,
+  Request,
   Route,
+  Security,
   SuccessResponse,
   Tags,
 } from "tsoa";
@@ -23,6 +25,7 @@ import minioClient from "../storage";
 export class SubFolderController extends Controller {
   @Get("/{cabinetName}/drawer/{drawerName}/folder/{folderName}/subfolder")
   @Tags("SubFolder")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.OK)
   public async listFolder(
     @Path() cabinetName: string,
@@ -40,8 +43,10 @@ export class SubFolderController extends Controller {
 
   @Post("/{cabinetName}/drawer/{drawerName}/folder/{folderName}/subfolder")
   @Tags("SubFolder")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.CREATED)
   public async createFolder(
+    @Request() request: { user: { preferred_username: string } },
     @Body() body: { name: string },
     @Path() cabinetName: string,
     @Path() drawerName: string,
@@ -57,7 +62,7 @@ export class SubFolderController extends Controller {
     const uploaded = await minioClient
       .putObject("ehr", `${cabinetName}/${drawerName}/${folderName}/${body.name}/.keep`, "", 0, {
         createdAt: new Date().toISOString(),
-        createdBy: "SomeUser",
+        createdBy: request.user.preferred_username,
       })
       .catch((e) => console.error(e));
 
@@ -70,6 +75,7 @@ export class SubFolderController extends Controller {
 
   @Put("/{cabinetName}/drawer/{drawerName}/folder/{folderName}/subfolder/{subFolderName}")
   @Tags("SubFolder")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT)
   public async editFolder(
     @Body() body: { name: string },
@@ -116,6 +122,7 @@ export class SubFolderController extends Controller {
 
   @Delete("/{cabinetName}/drawer/{drawerName}/folder/{folderName}/subfolder/{subFolderName}")
   @Tags("SubFolder")
+  @Security("bearerAuth")
   @SuccessResponse(HttpStatusCode.NO_CONTENT)
   public async deleteFolder(
     @Path() cabinetName: string,