Access Token and Acegi on a REST/JSON Webservice

[gavind]

Hi,

I've read the forums a bit and wanted to get some advice on the best approach -

I'm trying to setup a REST/ JSON web service using CXF and Acegi (yes not Spring Security yet). The primary consumer of the webservice is a mobile device. The webservice must be able to authenticate a user on the very first call, and then assign a token that can be used to authenticate the user on subsequent requests. I'd like to confirm if -

1) Acegi provides an access token solution out of the box?, or,
2) Will a filter need to be setup, before the Acegi filters are hit, so that it can accept a token from the request header, map it to a username/ password and add these credentials to the SecurityContext?
3) Should I use OAuth, which seems overkill since the webservice does not need to communicate with a facebook or linkedin.
4) Is Kerberos an option given my application is on a Unix box?

Thanks!

[gavind]

A small update -

A team member investigated OAuth, and determined that a 2-legged authentication fits nicely, while securing access to a webservice API via access tokens.