I want to secure my RESTful webservice in some way, i read for past few hours about spring security and I am not sure if I can achieve what I want with it. Here is typical scenario:
- User tries to access www.address.com/rest/getSomething - he gets 401 Unauthorized and he is not redirected.
- He goes to www.address.com/rest/login with username and password parameters
- His credentials are checked against those in database (I'm using JPA over Hibernate)
- If they are correct user receives 200 OK, and info that he's logged in is stored in session, so he does not need to send username and pass when accessing other addresses. Info that he logged in succesfully (or not) is stored in DB
- If login is unsuccessful he receives 401
- User uses webservice as much as he wanst (on each access, his session is checked)
- After lets say 10 minutes of inactivity his session ends, and he needs to log in again
- He may visit www.address.com/rest/logout to logout properly (session invalidate maybe?)
I also want to introduce some kind of password recovery, if user accesses www.address.com/rest/remindPass an email will be sent with newly generated password.
EDIT: And i forgot, about one more thing. I also need another filter for checking if user has enough privilage to access an address.
