You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Rajeev jha <jh...@gmail.com> on 2008/10/30 14:41:49 UTC
Implementing Cookies for SOAP services
Hi
We have a requirement to implement an http session like scheme for our CXF
web services. Essentially you connect to web service and receive an
identifier. Later you present that identifier and that is how web service
"remembers" you. standard http session stuff. We believe this cookies over
SSL scheme is good enough for our purpose.
The problem is, since these are SOAP APIs we need some
library/implementation that works like http session handling (but without
http web requests). I would like to ask if anyone is aware of some libraries
that let you generate identifier tokens with expiry time stamp? something
That would let us simulate the http sessions?
Tia and regards
-rajeev.
--
View this message in context: http://www.nabble.com/Implementing-Cookies-for-SOAP-services-tp20247250p20247250.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Implementing Cookies for SOAP services
Posted by Rajeev jha <jh...@gmail.com>.
Thanks.
I am on tomcat. I will look at ws-security though. If it is easy to setup
digital certificates exchange then I may as well try that.
Thanks
-rajeev.
Glen Mazza wrote:
>
> It's in the process of being built with CXF right now (we're not there
> yet), but what you're describing looks very much like using
> WS-SecureConversation, already available with Metro. I would consider
> that before rolling your own solution.
>
> Glen
>
>
> Rajeev jha wrote:
>>
>> Hi
>> We have a requirement to implement an http session like scheme for our
>> CXF web services. Essentially you connect to web service and receive an
>> identifier. Later you present that identifier and that is how web service
>> "remembers" you. standard http session stuff. We believe this cookies
>> over SSL scheme is good enough for our purpose.
>>
>> The problem is, since these are SOAP APIs we need some
>> library/implementation that works like http session handling (but without
>> http web requests). I would like to ask if anyone is aware of some
>> libraries that let you generate identifier tokens with expiry time stamp?
>> something That would let us simulate the http sessions?
>>
>> Tia and regards
>>
>> -rajeev.
>>
>
>
--
View this message in context: http://www.nabble.com/Implementing-Cookies-for-SOAP-services-tp20247250p20267814.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Implementing Cookies for SOAP services
Posted by Glen Mazza <gl...@gmail.com>.
It's in the process of being built with CXF right now (we're not there yet),
but what you're describing looks very much like using WS-SecureConversation,
already available with Metro. I would consider that before rolling your own
solution.
Glen
Rajeev jha wrote:
>
> Hi
> We have a requirement to implement an http session like scheme for our CXF
> web services. Essentially you connect to web service and receive an
> identifier. Later you present that identifier and that is how web service
> "remembers" you. standard http session stuff. We believe this cookies
> over SSL scheme is good enough for our purpose.
>
> The problem is, since these are SOAP APIs we need some
> library/implementation that works like http session handling (but without
> http web requests). I would like to ask if anyone is aware of some
> libraries that let you generate identifier tokens with expiry time stamp?
> something That would let us simulate the http sessions?
>
> Tia and regards
>
> -rajeev.
>
--
View this message in context: http://www.nabble.com/Implementing-Cookies-for-SOAP-services-tp20247250p20266321.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Implementing Cookies for SOAP services
Posted by Daniel Kulp <dk...@apache.org>.
Ah! Ok.
You CAN share the session across clients, but you'll need to do a bit of CXF
proprietary work to do it. Basically you have to extract out the Cookie
from the response and set it into other clients.
To extract it, the easiest is to get the HTTP_RESPONSE_HEADERS from the
response context and find the Set-Cookie headers and record them. You may
need to process them a little, but nothing major.
To set the cookie on other clients, do:
Client client = ClientProxy.getClient(proxy);
Conduit conduit = client.getConduit();
if(conduit instanceof HTTPConduit) {
HTTPClientPolicy policy = ((HTTPConduit)conduit).getClient();
if(policy == null) {
policy = new HTTPClientPolicy();
((HTTPConduit)conduit).setClient(policy);
}
policy.setCookie(/*value of the Cookie: header*/);
Some of this was taken from some work Ian Roberts discussed on:
http://www.nabble.com/Custom-HTTP-Headers-to19775288.html#a19776735
Hope that helps!
Dan
On Monday 03 November 2008 2:09:12 pm Rajeev jha wrote:
> Thanks Dan.
> I have looked at this option, Implementing it the way
> http://weblogs.java.net/blog/ramapulavarthi/archive/2006/06/maintaining_ses
>.html described here . The issue however is , I am *not sure* how to use
> this in our setup because of the way we are layering our application .
>
> AFAIK, The scope of JAX-WS sessions are tied to JAX-WS clients , if the
> client dies then effectively the session also dies. If you start a new
> client then effectively you are starting a new session. How will this
> session mechanism work if you have to call JAX-WS web services to render
> data for a browser application? Earlier the browser was just one
> application keeping track of one cookie from one server. Now the problem is
> every new JAX-WS client invocation means a new COOKIE.
>
> Thanks again
>
> -rajeev
>
>
>
>
>
> JAX-WS clients must support sessions via cookies. You need to turn it on
> though.
>
> ((BindingProvider)port).getRequestContext().put(
> BindingProvider.SESSION_MAINTAIN_PROPERTY, "true");
>
> Dan
>
> On Thursday 30 October 2008 9:41:49 am Rajeev jha wrote:
> > Hi
> > We have a requirement to implement an http session like scheme for our
> > CXF web services. Essentially you connect to web service and receive an
> > identifier. Later you present that identifier and that is how web service
> > "remembers" you. standard http session stuff. We believe this cookies
> > over
> > SSL scheme is good enough for our purpose.
> >
> > The problem is, since these are SOAP APIs we need some
> > library/implementation that works like http session handling (but without
> > http web requests). I would like to ask if anyone is aware of some
> > libraries that let you generate identifier tokens with expiry time stamp?
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Re: Implementing Cookies for SOAP services
Posted by Rajeev jha <jh...@gmail.com>.
Thanks Dan.
I have looked at this option, Implementing it the way
http://weblogs.java.net/blog/ramapulavarthi/archive/2006/06/maintaining_ses.html
described here . The issue however is , I am *not sure* how to use this in
our setup because of the way we are layering our application .
AFAIK, The scope of JAX-WS sessions are tied to JAX-WS clients , if the
client dies then effectively the session also dies. If you start a new
client then effectively you are starting a new session. How will this
session mechanism work if you have to call JAX-WS web services to render
data for a browser application? Earlier the browser was just one application
keeping track of one cookie from one server. Now the problem is every new
JAX-WS client invocation means a new COOKIE.
Thanks again
-rajeev
JAX-WS clients must support sessions via cookies. You need to turn it on
though.
((BindingProvider)port).getRequestContext().put(
BindingProvider.SESSION_MAINTAIN_PROPERTY, "true");
Dan
On Thursday 30 October 2008 9:41:49 am Rajeev jha wrote:
> Hi
> We have a requirement to implement an http session like scheme for our CXF
> web services. Essentially you connect to web service and receive an
> identifier. Later you present that identifier and that is how web service
> "remembers" you. standard http session stuff. We believe this cookies
> over
> SSL scheme is good enough for our purpose.
>
> The problem is, since these are SOAP APIs we need some
> library/implementation that works like http session handling (but without
> http web requests). I would like to ask if anyone is aware of some
> libraries that let you generate identifier tokens with expiry time stamp?
--
View this message in context: http://www.nabble.com/Implementing-Cookies-for-SOAP-services-tp20247250p20308635.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Implementing Cookies for SOAP services
Posted by Daniel Kulp <dk...@apache.org>.
JAX-WS clients must support sessions via cookies. You need to turn it on
though.
((BindingProvider)port).getRequestContext().put(
BindingProvider.SESSION_MAINTAIN_PROPERTY, "true");
Dan
On Thursday 30 October 2008 9:41:49 am Rajeev jha wrote:
> Hi
> We have a requirement to implement an http session like scheme for our CXF
> web services. Essentially you connect to web service and receive an
> identifier. Later you present that identifier and that is how web service
> "remembers" you. standard http session stuff. We believe this cookies over
> SSL scheme is good enough for our purpose.
>
> The problem is, since these are SOAP APIs we need some
> library/implementation that works like http session handling (but without
> http web requests). I would like to ask if anyone is aware of some
> libraries that let you generate identifier tokens with expiry time stamp?
> something That would let us simulate the http sessions?
>
> Tia and regards
>
> -rajeev.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog