Web Services & Sessions

Posted Sun, 11/04/2010 - 11:49 by avi
, , , ,

 

has anyone experienced with sessions & web services?

I've already read that axis2 handles this issue, do you have any idea if other frameworks (Spring?) addressed it also?



 

‹ AWT to SWT Bridge New kid in the block - "Lean software development" ›

Comments

by andrew - 12/04/2010 - 11:25

I never saw a mention of this functionality in Spring WS. Most chances are, it's doable with some coding. Can I ask you why do you need sessions in WS?

by avi - 12/04/2010 - 13:04

the request came from a customer i work for.

the need is to have a web service act as a typical enterprise application, meaning login->some actions based on authentication permissions->logout

the idea is not to send authentication on every web service request.

I know i can write something to make it work but i prefer not to reinvent the wheel

by andrew - 12/04/2010 - 14:38

Did you look at this: http://static.springsource.org/spring-ws/sites/1.5/reference/html/securi...

Looks like your task is pretty straight forward with WS-Authorization

by avi - 12/04/2010 - 16:17

thanks for the quick reply Andrew,

as stated on the link on section 7.2.2. "Authentication"

As stated in the introduction, authentication is the task of determining whether a principal is who they claim to be. Within WS-Security, authentication can take two forms: using a username and password token (using either a plain text password or a password digest), or using a X509 certificate.

 

the problem is not authenticating principals but web services and session handling. 

the requirement I have is not to send username/password (certificate is out of scope) on every request, there for i cant use this framework. 

 

 

 

 

by andrew - 12/04/2010 - 18:28

If I would need to design the communication in the situation you explain, I would use a digest authentication over HTTPS. From the security point of view HTTP sessions are less strong than a digest, because the token is sent in HTTP post body and the JSESSIONID is sent in the header. Using HTTPS can solve the "man in the middle attack" problem if you do it right.

 

On the other hand if you prefer using sessions, why not to use Axis2, as you told earlier?