The technical term for this is Single Signon (SSO). Traditionally, this was something that
Tomcat would do using a third-party Realm, and I think that there was one from Carnegie-Mellon University that was popular.
But when I checked, it seems that Tomcat added a Valve-based SSO mechanism somewhere around Tomcat 8. I'm not sure if it's as universal as the aforementioned, but it may be of use, since it apparently can interact with JBoss 5, if not later WildFly reeleases. See
https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/5/html/http_connectors_load_balancing_guide/clustering-http-sso
Note that this is a base-level Tomcat configuration thing and I'm so sure what you'd do to make it play nicely with Spring Security.
It's based on a shared cookie, so I'm also unclear if that would be a problem for ReST.