session handling

[Robert Dietrick <rd...@sega.com>]

I'm attempting to write a stateful SOAP service which requires
authentication of the client before any remote methods are called.  I
was envisioning the following flow of events:
1. client creates Call and executes remote authorization(user, pass)
method
2. remote service authorizes client and creates session if
authentication is successful
3. if auth was successful, client then calls remote method foo() with
same Call object
4. remote service checks for auth token in session and determines wether
the call should be executed...

Where any attempt at step 4 without prior authorization and session
creation would fail.

The docs make reference to session maintenance as follows:
...if a service you are talking to via HTTP sets the appropriate HTTP
cookies to maintain the session, those will be copied and stored in the
call object used to invoke the service.

My understanding of RPC SOAP services is that the remote service knows
nothing about the context in which it's running (SOAP) and therefore has
no reference to things like HttpServletRequests.  Therefore, I don't
understand how the service would create and manage a session for a
request.  Does my service need to be an EJB or something?  Can anyone
provide any insight?

Thanks.

-rob