Spring Security x509 thoughts
i was hoping to bounce some ideas/get some thoughts on a security impl.
we are exposing some REST endpts. via a Grails app for a UI and other future 3rd party apps (esb, web app, etc) to utilize. we are in a 2 way SSL environment so everything is 'pre-authenticated' thus Spring Security x509 seems to be the proper solution. since everything accessing this app is already authenticated all we need to do is use a some sort of web service in our Grails app to get roles from a 3rd party (ldap, whatever).
we want to make this call to get roles on the initial request but NOT all subsequent requests. im thinking that storing this info in session and checking the header for a jsessionid or some authorization header on subsequent requests and checking avail. sessions for that sessionid/header is best way to go about this.
any input would be appreciated.