I want to implement a basic RESTful service using Tomcat. The API requires authorisation before it can be used. Authorisation will be achieved by requesting an account ‘resource’ e.g
some.domain.com/rest/accounts?user=ABC&password=XYZ
If the credentials are valid, an appropriate account resource will be retuned as JSON or an empty response of type 403 will be returned. After authorisation is performed, the client can then access the API (for example):
some.domain.com/rest/secure/bookings
some.domain.com/rest/secure/friends
However I feel lost with all the options for implementation. I know I want to use Spring, but Jackson seems simpler and easier for returning JSON objects.
Questions:
-
Should I implement a Spring Controller even though the class which uses Jackson is kind of a controller too? Or if I use Jackson is there no need for a Sping controller?
-
Should authentication be performed using Spring-Security, Tomcat filters, or AOP with Spring?
There seems to be so many ways to do things, but my priority is to keep things simple.
Probably the most brain-damaged way to perform authentication I have ever seen. Authentication is not the concern of the REST API but of the underlying framework/server with Basic, Digest, Negotiate, etc. As duffymo already said, Spring Security is the most natural way to do so.