Feb 26th, 2010, 08:10 PM
I guess I would suggest going about it a different way - I would suggest having the authentication for the REST service occur within the Spring Security filter context too. If you do this, you shouldn't need to do anything special to authenticate within the REST service, because Spring will do it for you. You'd just have to add appropriate access declarations to the set of <intercept-url> rules you already have. The Spring Sec filter chain that wraps your REST requests will verify the authentication context in the session is correct well before your servlet code is invoked, and it will ensure that things are set up so that your method annotations still work properly.
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Mar 2nd, 2010, 07:30 AM
I am very interested in the correct solution to this problem - I would like to implement form-based authentication in a declarative way, without using the ServletContextHolder directly.
If you find a solution please post it here!
Mar 4th, 2010, 12:10 PM
It looks like we're probably going to end up passing the jsessionid in as a parameter when making RESTful calls. We will also pass in the encoded auth token.
So a user hits a page, they get a jsessionid, and we just pass it in for web services. If they're logged in, we pass an auth token, too.
Mar 5th, 2010, 08:52 PM
Actually, when a user hits a page, we store an anonymous user ID (a Java UUID) in a cookie. I pull the cookie from the REST class and get the ID from there. We're using that to identify which user is which.
I'm not sure about actual authentication yet. It'll probably be a hashed token stored in a cookie.
Jun 24th, 2010, 07:37 PM
Ok, I am trying to implement something similar. I have just started with spring and rest services.. .if you add how you have implemented it, it would be great.
Jun 24th, 2010, 09:00 PM