基于Token的授权（with srping mvc）

@Override
public void doFilter(ServletRequest sr, ServletResponse sr1, FilterChain fc) throws IOException, ServletException {
    boolean tokenAuthenticated = false;
    HttpServletRequest request = (HttpServletRequest) sr;
    String token = findToken(request);
    if ((null == token) || (!authenticationNeeded(request))) {
        fc.doFilter(sr, sr1);
        return;
    }
    if (needHttps && (! request.isSecure())) {
        TokenAuthenticationToken at = new TokenAuthenticationToken(token);
        try {
            at.setDetails(detailsSource.buildDetails(request));
            Authentication auth = manager.authenticate(at);
            if ((auth != null) && (auth.isAuthenticated())) {
                SecurityContextHolder.getContext().setAuthentication(auth);
                tokenAuthenticated = true;
            }
        } catch (AuthenticationException e) {
            logger.debug("Authentication failed :", e);
        }
    }
    else {
        logger.info("Token identification rejected : proto != https");
    }
    fc.doFilter(sr, sr1);
    if (tokenAuthenticated) {
        logger.debug("Token authenticated : invalidate session");
        HttpSession session = request.getSession(false);
        if (session != null) {
            session.invalidate();
        }
    }
}

除了filter，应该需要在服务端持久化token，参见http://stackoverflow.com/questions/2608372/spring-security-rememberme-services-with-session-cookie?rq=1
https://github.com/virgo47/restful-spring-security

logout的实现
http://stackoverflow.com/questions/14733418/login-logout-in-rest-with-spring-3/14735345#14735345