Spring authentication through REST Service

Question

I have a Webapp that consists of a REST API, and then another app that represents a frontend of this API. Both of this apps are developed using Spring.

Currently my REST api is not secured and data can be accessed directly by calling the REST endpoint without additional security info.

My frontend does have a login form (I'm using Spring Security for that), but does not have access to a database (the only access is through the REST endpoint). So the login process is done through an extension of the AuthenticationProvider that calls the REST api with the user and password and then responds with the authentication result. No authentication/authorization is kept on the REST side since to my knowledge this protocol should be stateless.

The problem is I need to incorporate ACL into my app, so that a user can only see those resources he's authorized to see (i.e. those he created). But given that my authentication process takes place on the frontend layer (which is where I keep a session attribute with the user info), I have two main problems:

1. How can I secure my REST channel?
2. How can I know which user is making the request on every communication, without explicitly passing the userdetails in each API request? is this even possible?

Answer 1

Doing it stateless and making two separate web application usually is overkill. What I usually end up doing is.

1. Make my RestAPI stateful, because usually scaling is not an issue and simple form authentication will suffice.
2. Combine a Rest API/HTML Client in one Webapplication. If you want to keep it modular, you could create a Rest API module and integrate it as a JAR file in the lib folder of your web app.

Here is also some thread which goes through different alternatives for a rest API.

How to do authentication with a REST API right? (Browser + Native clients)