[aerogear-dev] [security] using protected endpoints (after getting the 'token' on login)

Hi Bruno, playing with the 'picketbox' branch of the TODO app. I have one question about the security API ... I am able to do a successful login with 'curl' ==> curl -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"username":"john","password":"123"}' http://localhost:8080/todo-server/auth/login Great, my RESPONSE looks like: {"username":"john","token":"6c9d10c9-c0ec-40bb-8c95-6ca84dbb8fad","roles":["admin"],"logged":"true"} Now when I want to fetch the projects (from their endpoint), by using the token (as header) (again with) curl: curl -v -H "Accept: application/json" --header "token: 6c9d10c9-c0ec-40bb-8c95-6ca84dbb8fad" -X GET http://localhost:8080/todo-server/projects As a response I am getting 401 (Unauthorized) ==> * About to connect() to localhost port 8080 (#0) * Trying 127.0.0.1... * connected * Connected to localhost (127.0.0.1) port 8080 (#0) < HTTP/1.1 401 Unauthorized < Server: Apache-Coyote/1.1 < Content-Type: application/json < Content-Length: 39 < Date: Wed, 26 Sep 2012 11:29:56 GMT < * Connection #0 to host localhost left intact Am I missing something here ? Greetings, Matthias -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf