Spring Roo + security + json, how to authenticate?

[jackstuard]

Hi,

Imagine that example pizzashop, included in Spring Roo installlation. It offer JSON remoting for all domain types. So you can externalize all operations using REST.
Until here, everything works ok, now add security to this project using:
security setup

Alright, now I can have authentication through html. However, if I intercept "/bases" for example and limit it to isAuthenticated(), through web, I can for sure authenticate, but how to do that through REST?

Before use Spring Security a simple command like this:
curl -i -X POST -H "Content-Type: application/json" -H "Accept: application/json" -d '{name: "Thin Crust"}' http://localhost:8080/pizzashop/bases

Expose some data, however after applying Security, it doesn't work anymore because it needs to be authenticate.

[krimple]

Best guess is that your curl isn't going to work anymore, because you'll have to install some sort of alternate authentication service, such as one that handles digests.

See:
http://static.springsource.org/sprin...cessing-filter

to set up digest authentication, and see:
http://www.ietf.org/rfc/rfc2617.txt

for the specification. You'd want to generate a digest authentication request (appropriate headers) and the server will reply with a short-time token called a 'nonce'. You use it until it expires, then submit for another authentication and a new 'nonce' in your headers of your request.

That's one way to do it. You could use basic authentication, but then you'd be sending your credentials in the clear (of course unless you secure the server with http). Digest authentication is the best choice short of using your own mechanisms that you'd have to write yourself (and integrate into Spring Security).

Best,

Ken