You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Andres Olarte <ol...@gmail.com> on 2009/11/18 02:08:00 UTC
Stateful webservices
Hi,
What's the best way to implement stateful web services? I was thinking of
including a session id with every call, but was wondering if there's a
better way.
Thanks,
Andres
RE: Stateful webservices
Posted by "Pydipati, Karuna" <kp...@stubhub.com>.
We are also doing similar thing. But, we are sending session related
information in Cookies (REST calls). We use SessionGuid (oracle) for in
stead of using predictable oracle sequence ids. Id > 256bit long secure
random seeded is also good idea.
Some sample REST interfaces we are using
@Path("/issession")
@GET
public com.xxx.webservices.common.UserResponse isSessionValid();
@Path("/createsession")
@POST
public com.xxx.webservices.common.UserResponse createSession() ;
@Path("removesession")
@DELETE
public com.xxx.webservices.common.UserResponse
invalidateSession();
Regards
Karuna Pydipati
StubHub/eBay - Platform & Services
Phone: (415)222-8752
Email: kpydipati@ebay.com
-----Original Message-----
From: Andres Olarte [mailto:olarte.andres@gmail.com]
Sent: Tuesday, November 17, 2009 7:24 PM
To: users@cxf.apache.org
Subject: Re: Stateful webservices
Thanks for your input. How are you passing the session id from the
client?
Is it defined in the wsdl, or are you using Out of Band headers?
On Tue, Nov 17, 2009 at 8:47 PM, vickatvuuch <vl...@gmail.com>
wrote:
>
> I put together my own session store bean which is shared by all Impl
beans.
> Later you could use Hibernate cache to replicate it cross hosts..
> The Auth.login does auth and generates sessions, then client sends
> this sessionid in the SOAP header or on the REST request.
> You put together a In interceptor to validate session key and either
> let request in or bounce it. Of course the key has to be long > 256bit
> long secure random seeded, expiring, etc.
> May be there is a better way, will watch what others say..
>
>
> olarte.andres wrote:
> >
> > Hi,
> >
> > What's the best way to implement stateful web services? I was
> > thinking
> of
> > including a session id with every call, but was wondering if there's
> > a better way.
> >
> > Thanks,
> >
> > Andres
> >
> >
>
> --
> View this message in context:
> http://old.nabble.com/Stateful-webservices-tp26400779p26401116.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Stateful webservices
Posted by vickatvuuch <vl...@gmail.com>.
I put together a custom WSDLQueryHandler which sneaks in my custom security
header.
This way I managed to do it in one place and not to pollute all the ports.
Search for my posts, there is an example there.
olarte.andres wrote:
>
> Thanks for your input. How are you passing the session id from the client?
> Is it defined in the wsdl, or are you using Out of Band headers?
>
>
> On Tue, Nov 17, 2009 at 8:47 PM, vickatvuuch <vl...@gmail.com> wrote:
>
>>
>> I put together my own session store bean which is shared by all Impl
>> beans.
>> Later you could use Hibernate cache to replicate it cross hosts..
>> The Auth.login does auth and generates sessions, then client sends
>> this sessionid in the SOAP header or on the REST request.
>> You put together a In interceptor to validate session key and either
>> let request in or bounce it. Of course the key has to be long > 256bit
>> long
>> secure random seeded, expiring, etc.
>> May be there is a better way, will watch what others say..
>>
>>
>> olarte.andres wrote:
>> >
>> > Hi,
>> >
>> > What's the best way to implement stateful web services? I was thinking
>> of
>> > including a session id with every call, but was wondering if there's a
>> > better way.
>> >
>> > Thanks,
>> >
>> > Andres
>> >
>> >
>>
>> --
>> View this message in context:
>> http://old.nabble.com/Stateful-webservices-tp26400779p26401116.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://old.nabble.com/Stateful-webservices-tp26400779p26402142.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Stateful webservices
Posted by Andres Olarte <ol...@gmail.com>.
Thanks for your input. How are you passing the session id from the client?
Is it defined in the wsdl, or are you using Out of Band headers?
On Tue, Nov 17, 2009 at 8:47 PM, vickatvuuch <vl...@gmail.com> wrote:
>
> I put together my own session store bean which is shared by all Impl beans.
> Later you could use Hibernate cache to replicate it cross hosts..
> The Auth.login does auth and generates sessions, then client sends
> this sessionid in the SOAP header or on the REST request.
> You put together a In interceptor to validate session key and either
> let request in or bounce it. Of course the key has to be long > 256bit long
> secure random seeded, expiring, etc.
> May be there is a better way, will watch what others say..
>
>
> olarte.andres wrote:
> >
> > Hi,
> >
> > What's the best way to implement stateful web services? I was thinking
> of
> > including a session id with every call, but was wondering if there's a
> > better way.
> >
> > Thanks,
> >
> > Andres
> >
> >
>
> --
> View this message in context:
> http://old.nabble.com/Stateful-webservices-tp26400779p26401116.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Stateful webservices
Posted by vickatvuuch <vl...@gmail.com>.
I put together my own session store bean which is shared by all Impl beans.
Later you could use Hibernate cash to replicate it cross hosts..
The Auth.login does auth and generates sessions, then client sends
this sessionid in the SOAP header or on the REST request.
You put together a In interceptor to validate session key and either
let request in or bounce it. Of course the key has to be long > 256bit long
secure random seeded, expiring, etc.
May be there is a better way, will watch what others say..
olarte.andres wrote:
>
> Hi,
>
> What's the best way to implement stateful web services? I was thinking of
> including a session id with every call, but was wondering if there's a
> better way.
>
> Thanks,
>
> Andres
>
>
--
View this message in context: http://old.nabble.com/Stateful-webservices-tp26400779p26401116.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Stateful webservices
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi
In addition to what other have said, I'd also like to add that it is also possible to configure the client runtime to mantain a
current session (provided cookies are used), using an org.apache.cxf.message.Message.MAINTAIN_SESSION property, should work for both
JAXWS & JAXRS...
cheers, Sergey
> Hi,
>
> What's the best way to implement stateful web services? I was thinking of
> including a session id with every call, but was wondering if there's a
> better way.
>
> Thanks,
>
> Andres
>
Re: Stateful webservices
Posted by Daniel Kulp <dk...@apache.org>.
Is there any particular reason why a normal HTTP session cookie cannot be
used? Doing it that way allows a lot of powerful things like using the
Spring AOP stuff to provide a stateful object per session, etc...
By default, sessions are turned off on the client, but they are easy to turn
on. It's part of the jaxws spec.
Dan
On Tue November 17 2009 8:08:00 pm Andres Olarte wrote:
> Hi,
>
> What's the best way to implement stateful web services? I was thinking of
> including a session id with every call, but was wondering if there's a
> better way.
>
> Thanks,
>
> Andres
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog