For a similar situation we did the following a long time back:
- Used an HTTP filter to extract a token from HTTP headers for each request.
- Stored the extracted header to thread context.
- Added an aspect around service method calls to check the thread context for the token.
This strategy worked well for us. For last many years I have been using Spring Security since it has a more tested and comprehensive implementation for such problems.
If you wish to write your own token-passing implementation, you can check the source code for the Spring Security class SecurityContextHolder
that provides multiple ways of passing security information on the execution thread.