I implemented a tomcat valve checking those tokens and generating new
ones transparently when another valve (such as BasicAuthenticator) takes
care of the initial authentication.
This stuff works and I can use it in a JS client app by setting the
"Authorization" header with the token on every HTTP request.