I've been doing a ton of research on this and just want to validate the best approach before I move forward...
My requirement is that I do token based authentication for a REST/Jersey service that is also integrated with Spring. This means that there is an "authenticate" service to which the username/password will be posted, which will respond with a string token. That token can be whatever I want. All other method request will pass the token in an HTTP header. This is the requirement because we support several existing clients and cannot expect them to change at our whim, and this is how the current service works that is using a home-grown auth framework. I'm looking at disabling session creation, as described at: https://cwiki.apache.org/confluence/display/SHIRO/Session+Management#SessionManagement-StatelessApplications%28Sessionless%29 Specifically with /rest/** = noSessionCreation, anon The question then is how do I best store and retrieve the fact that the user with a given token has been authenticated? Should I just store it in ehcache and and retrieve it with a "remember me manager" upon each request? Or, do I need to implement a secondary realm that logs in by the stored auth token rather than the user/password. Lastly, I could keep sessions enabled but I really don't need anything from the session other than this token, I don't think. -- Sean Blaes Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
