My sample app does exactly this – securing REST endpoints using Spring Security in a stateless scenario. Individual REST calls are authenticated using an HTTP header. Authentication information is stored on the server side in an in-memory cache and provides the same semantics as those offered by the HTTP session in a typical web application. The app uses the full Spring Security infrastructure with very minimum custom code. No bare filters, no code outside of the Spring Security infrastructure.
The basic idea is to implement the following four Spring Security components:
org.springframework.security.web.AuthenticationEntryPointto trap REST calls requiring authentication but missing the required authentication token and thereby deny the requests.org.springframework.security.core.Authenticationto hold the authentication information required for the REST API.org.springframework.security.authentication.AuthenticationProviderto perform the actual authentication (against a database, an LDAP server, a web service, etc.).org.springframework.security.web.context.SecurityContextRepositoryto hold the authentication token in between HTTP requests. In the sample, the implementation saves the token in an EHCACHE instance.
The sample uses XML configuration but you can easily come up with the equivalent Java config.