Hi There,

I have implemented a REST webservice and as part of that I have two enrollment requests that are required before users formally login. The first request must be complete before the second can be completed. If a user tries to directly access the url of the 2nd enrolment request without a valid session (created from the first request) I want an error to be thrown. This seems fairly straightforward when the user is logged in, however, as these two requests are being managed anonymously it would appear that Spring just goes ahead an creates a new session, even if the session provided in the request is invalid or non-existent (which you would expect).

Is there a straightforward way of requiring that a request to a specific url or method has a valid pre-existing session, even when the user is anonymous? I started looking at the AnonymousAuthenticationFilter and the SessionManagementFilter with a view to create my own custom filter but I'm not sure which is best for me to change.

If anyone has had similar experience in this area I would really appreciate their thoughts.

Many Thanks
Noush