Authorization and Authentication using Jersey and Spring

Question

I'm writing a RESTfull service using jersey and Spring 3 (including spring-security), and trying to figure out how to implement authentication and authorization.
I'm new both to jersey and to Spring so it's all a bit confusing...
Users and their roles are defined in DB. (and not defined in the web.xml or in tomcat-users)

Here are my thoughts about the Authorization part:
Since my service shouldn't necessarily serve web-apps, the authorization should be done on the REST resources (and not on pages) - how do i do this? i saw there's @RolesAllowed annotation but it seems too simple, i need more logic. i think i have to somehow activate spring security from there to use the authorization capabilities they offer.
Any suggestions as to how to do this?

For the Authentication part it seems i should use spring security's AuthenticationManager, and SessionManagement but i'm not sure how to connect it to the REST API:
1. how the API that gets the authentication request should look like?
2. if Spring handles my sessions, how can i add the authorization on my REST resources?

I'd really appreciate if you could help me clear up things...

Thanks!

Answer 1

Sorry, but if you're at that early stage with your Spring Security know-how I must suggest you work through the excellent tutorial first. I'm sure your questions will be answered automatically and you'll learn a lot of valuable stuff along the way.