I want to secure my restful cxf based web service, which is used internally only (i.e. no 3rd parties) and is accessed via a web tier using java, javascript, and flex. The web tier uses spring security (3.0.2.RELEASE).

I do not, however, want to use basic authentication security, since I do want to transfer back-and-forth the user name and password with each request.

I've looked into using Spring Security in conjunction with either OAuth or SSO, but I'm not sure whether either combination is sensible. I'd appreciate insight/feedback on what options I have as well as what approaches others have taken and why.