I am building a web application in which two of the major components are the website and a backend RESTful web service. The website will make calls to the RESTful web service which does the heavy lifting. I am planning to use Spring Security for both tiers. I imagine that the website will use form authentication and the RESTful API will use basic authentication (over SSL). However, I'm not sure how to provide authentication credentials to the REST API as the website will likely have a session cookie after the initial login. Can anyone provide some pointers on an authentication that scheme that will work in this multi-tiered application? Thanks!

EDIT: I should mention that the REST API will be consumed by a mobile application as well.

One way to do it is using Remember Me on the web site and the REST service. The web site would force remember me (you can set the expiration time and/or make it a session cookie). Then copy that cookie for the web site-to-REST service requests. The mobile to REST would use the same cookie that is already in place (assuming they are in the same cookie domain).