Spring Security REST Webservice Anonymous Authentication Session Management

I've written a RESTful webservice using Spring MVC. I essentially enrole a customer then add further details following enrollment. The flow is basically as follows:

1. Enter 1st set of enrollment information. This gets validated by the webservice and returns to the client

2. Enter 2nd Set of enrollment informati开发者_开发问答on. This also gets validated by the webservice and returns to the client.

3. Enrollment is confirmed. User can now add further specific account details via various webservice calls.

Step 1 and 2 do not require the user to be logged in (they can't be as they don't have full login details yet). However, I need a session as users should not be able to complete step 2 unless step 1 has been completed. Once enrollment is complete I want the user to login and create a full authenticated session to enable further details to be added.

Having read the spring security docs I think I'm ok with the authenticated session following successful enrollment (although it's complicated because I don't have an actual login.jsp). What I can't understand from the Spring Docs is if it's even possible to maintain session state between anonymous requests. Looking at how information is pulled from the SecurityContextHolder all seems to depend upon UserDetails (which of course doesn't exist). I can understand how it will work for a single unathenticated request but I'm just unsure about multiple unauthenticated requests by the same user.

Is it even possible to maintain a session for anonymous requests in Spring Security.