I have implemented programmatic security by reading through the docs and the forums when I ran into issues.
Everything seems to be working fine but one thing is still bothering me.
In my controller, I am using the following calls.
Authentication auth = new AppAuthentication(accessToken);
//AppAuthentication is my custom implementation of the Authentication Interface.
If I do not set the Authentication Context for the current user in the HTTP session, the context is not available to me on subsequent calls.
HttpSession session = request.getSession();
Is this the intended approach or more of a hack? What would be preferred approach in this case?