ClientCertificates, AJAX, and REST servlet, spring, currently, properly, security

amy

My web application currently has two dispatcher servlets.  All normal browser requests for html pages use the dispatch servlet with mapping *.htm and all AJAX/Rest requests use the dispatcher servlet with mapping *.rest.  Authenication is done using ssl client certificates.

I currently have spring security setup properly to work with the *.htm requests but I cannot figure out how to use it for the *.rest requests.

If some sort of authentication/authorization error occurs when doing a rest request ideally this is what I would like to happen:

1)  No redirect happens, just send back a status code of 403.

2)  Render the specific error message in a format based on the Accept request header.  (Something similar to how ContentNegotiatingViewResolver works)

The way that my app currently handles this is instead of using spring security I have a Abstract Controller that all of my controllers that recieve rest requests subclass.  The abstract controller implements handleRequest, authenticates the user if they haven't already been, then if authenication was successful it calls a template method that subclasses implement to handle the request.  If authentication fails it sets the error message(s) on the modelAndView, sets the viewName to quot;authenticationErrorquot;, and then returns.  I then use ContentNegotiatingViewResolver to pick the proper view to render the error based on the Accept Header.