Spring endpoint take session id and HEATEOS

I am working with a spring controller and adding authorization and authentication to it. The spring controller uses HATEOAS and I am supposed to simply add a service which verifies the session ID inside the request header.

Using spring security seems not to be fitting since I am asking an outside service for authentication and authorization based on resources. But the authorization of the resources happens on metadata inside the database.

I am looking for a simple and best practice way to do that.

I have following spring controller endpoint:

@ApiOperation(value = "Gets a bucket's metadata by ID")
    @ApiResponses(value = { @ApiResponse(code = 404, message = "Bucket not found"),
                            @ApiResponse(code = 401, message = "User not authenticated"),
                            @ApiResponse(code = 403, message = "Permission denied"), })
    @RequestMapping(value = "/{bucketId}", method = GET)
    public BucketMetadata getMetadata(
            @ApiParam(value = "sessionID", required = true) @RequestHeader(value = "sessionID", required = true) String sessionId,
            @PathVariable long bucketId) throws NotAuthenticatedException, AccessDeniedException {
        restApiAccessService.checkAccessBySessionIdAndThrowIfDeclined(sessionId, bucketId);
        return bucketService.getBucketMetadata(bucketId);

The service relies on a microservice which validates the sessionId, and an authorization service which validates access to a bucketId.

1) I have not seen spring examples which use a session ID inside the controller. Can I improve that design?

The reason why I am questioning the session ID in the endpoint is because the HATEOS linkto is accessing the Controller which itself needs a session ID.


The above code doesn’t look right and forces me to handle the not authenticated and not authorized exceptions.

I would be happy about any type of examples or input to help me to create clean, simple, short and maintainable solution.

Thank you,