Combining form-based authentication and REST web services

[pmularien]

I guess I would suggest going about it a different way - I would suggest having the authentication for the REST service occur within the Spring Security filter context too. If you do this, you shouldn't need to do anything special to authenticate within the REST service, because Spring will do it for you. You'd just have to add appropriate access declarations to the set of <intercept-url> rules you already have. The Spring Sec filter chain that wraps your REST requests will verify the authentication context in the session is correct well before your servlet code is invoked, and it will ensure that things are set up so that your method annotations still work properly.

[mrossi]

Hi,
I am very interested in the correct solution to this problem - I would like to implement form-based authentication in a declarative way, without using the ServletContextHolder directly.

If you find a solution please post it here!

Many thanks,
Michele

[Tremelune]

It looks like we're probably going to end up passing the jsessionid in as a parameter when making RESTful calls. We will also pass in the encoded auth token.

So a user hits a page, they get a jsessionid, and we just pass it in for web services. If they're logged in, we pass an auth token, too.

[Tremelune]

Actually, when a user hits a page, we store an anonymous user ID (a Java UUID) in a cookie. I pull the cookie from the REST class and get the ID from there. We're using that to identify which user is which.

I'm not sure about actual authentication yet. It'll probably be a hashed token stored in a cookie.

[muncher]

Ok, I am trying to implement something similar. I have just started with spring and rest services.. .if you add how you have implemented it, it would be great.

[Tremelune]

Spring Security stores an object in a ThreadLocal. Because our javascript REST calls are coming from the same browser that the user used to login, it just works.