I'm currently developing my first web service and I'm unsure of which
authentication strategy to use.

The web service may be accessed directly, for which the application
should use XML headers to authenticate the application and perhaps
also the user. Alternatively, the service can be accessed through a
web application (JSP/Servlet setup) for which some of the webservice
fuctions should be available (showing latest items etc) and some
should require the user to login before they can be run (creating a
new item etc).

Ideally the service would use an API such as JAAS to provide a secure
authentication mechanism and the option to swap out the user database.
Perhaps for an LDAP directory, for example.

I understand that I could provide two tiers of authentication, one for
the application/web application and one for the user of the
application but I'm confused as to how to maintain the user session
without having to re-authenticate every time a request to the service
is made. If there are two tiers of authentication this would cause a
serious load on the server.

I would appreciate an answer that can suggest an efficient way to
provide an authentication mechanism for this scenario. A mechanism
which can be extended to support LDAP/Kerberos and is open source
would be ideal.

Thanks, Niall