It's quite hard to find information on that topic for whatever reason. For the commons http client take a look at http://hc.apache.org/httpcomponents-...-ga/index.html
What AuthenticationSimpleHttpInvokerRequestExecuter does is to send basic authentication with every request. That is ok if you want to build a REST-Service or something like that. But if full authentication envolves multiple steps (like authenticating with AD and queryin database for roles), it might be better to authenticate only once. You keep track of the session exactly the same way you would do in a webapplication--> use HTTP-session.
If you are using Spring-Security 3.1 you could define 2 <http> elements. The first one requires no acces-role and is used for your login-service. The second is used for all other services, and requires ROLE_USER.
You now should make sure that your LoginService is matched by the first element (otherwise you can't access it, because you can't have a role at that point). I published it like this.
<http pattern="/remoting/public/**" auto-config="true">
<intercept-url pattern="/**" method="POST" requires-channel="https"/>
<http pattern="/**" auto-config="true">
<intercept-url pattern="/**" access="ROLE_USER" method="POST" requires-channel="https"/>
(note that my dispatcherservlets url-pattern is /remoting/* , could be different in your case)
<bean name="/public/loginService" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
You then could use create-session="always" in the first <http> element. But probably the better way is to just create the session yourself in your authenticationProvider. I do it after everything went fine, that way i can ensure that no session is created for failed authentications. So bevore returning the authentication in your provider, just call request.getSession(); which automatically creates a session if none exists