I have a Spring Security (form based authentication) web app running CXF JAX-RS webservices and I am trying to connect to this webservice from an Android app that can be authenticated on a per user basis. Currently, when I add an @Secured annotation to my webservice method all requests to this method are denied. I have tried to pass in credentials of a valid user/password (that currently exists in the Spring Security based web app and can log in to the web app successfully) from the android call but the request still fails to enter this method when the @Secured annotation is present. The SecurityContext parameter returns null when calling getUserPrincipal().

How can I make a request from an android app that can enter a Spring Security secured webservice method?

Here is the code I am working with at the moment:

Android call:

httpclient.getCredentialsProvider().setCredentials(
          //new AuthScope("192.168.1.101", 80), 
          new AuthScope(null, -1),
         new UsernamePasswordCredentials("joeuser", "mypassword"));

  String userAgent = "Android/" + getVersion();      


  HttpGet httpget = new HttpGet(MY_URI);
  httpget.setHeader("User-Agent", userAgent);
  httpget.setHeader("Content-Type", "application/xml");

  HttpResponse response;

  try {
      response = httpclient.execute(httpget);
      HttpEntity entity = response.getEntity();

      ... parse xml

Webservice Method:

@GET
@Path("/payload")
@Produces("application/XML")
@Secured({"ROLE_USER","ROLE_ADMIN","ROLE_GUEST"})
public Response makePayload(@Context Request request, @Context SecurityContext securityContext){

         Payload payload = new Payload();
         payload.setUsersOnline(new Long(200));

            if (payload == null) {
                return Response.noContent().build();
            }
            else{
                 return Response.ok().entity(payload).build();
            }

 }