We plan to develop a layer of REST services to provide services hosted on the old system. These services will be used by the classic web application and mobile phone applications.
This legacy system is protected in such a way that initial authentication of the username and password is required (a process that can take from 5 to 10 seconds). After the initial authentication, a time-limited token is returned. Then this token should be included in all further requests or requests will be rejected.
Due to a security requirement, an outdated security token cannot be returned outside the REST service level. This means that the REST service level must store this token in some form of user session, otherwise the expensive authentication process of the username and password must be repeated for every call to an outdated system.
The REST service level will be implemented using the Java 3 + Spring 3 + Spring stack of security 3. At first glance, it seems that this setting will work fine: Spring-based REST services will be protected using the fairly standard Spring security configuration, the outdated security token will be saved in a user HTTP session and each call will restore this token using a user session and send it to the legacy system.
But the question arises: how will REST clients send the necessary data so that the user HTTP session is correctly restored? This is usually done by a transparent web browser using the JSESSIONID cookie, but no browser is involved in this process. Of course, REST clients can add cookie management to their code, but is this an easy task for all Spring RestTemplate, iPhone, BlackBerry and Android clients?
HTTP REST - , , , , REST HTTP- . , Spring Security HttpSession?
, , . ?
!