I'm planing to make a little mobile app that will rely on a
java (spring-spring mvc) rest API. The API will have paths that look like this for example:
/rest/account POST (will create a new account (account is composed of a username+pass+email)
/rest/photo/like for example that modify behaviour and add things to the DB...
I'm also planing to use Spring Security to handle the authentication/authorisation. So the mobile app before to make any authorise call (for example to /rest/photo/like) it will have to login (so the basically to /security_check?j_username=username&password
And from now on every request will have to include the JSESSIONID in the cookie.
My question is, is this secure enough? Do I have to use OAUTH2? Or is it overkill?
Bonus question: As you don't need to be authenticated to make the /rest/account call to create an account, what is the best way to avoid that a user create 1000000 accounts ?? Apache/ip-filter? Or should I handle this in some interceptor in spring-mvc ?