How can I manage users' sessions when I use web services?

Question

In case if user works with web application via web browser, the user's session is managed by application server. It takes care of sessions creation, validation, timeouts, disposings, etc.

And as far as I know there is no such mechanisms in the other case, if user works with app via remote client and uses SOAP web services.

So the question is, how can we manage users' sessions in case of web services and implement the same mechanisms of session management such as invalidation, prolongation, disposing?

Answer 1

Assuming you use JAX-WS and SOAP/HTTP it is possible to work with container managed security (and e.g. session cookies) as well. You just have to inject WebServiceContext in your service. It allows access to all HTTP environment variables:

@Resource
WebServiceContext wsContext;

A detailed example is available here. Of course, your clients must support this as well (if they are JAX-WS based it works). Nevertheless, a rule of thumb is that web services should not maintain any state at all, they should behave stateless. See this on SO.

Edit: You can access the ServletRequest by:

@WebMethod
public void foo() {
    final MessageContext mc = this.wsContext.getMessageContext();
    final ServletRequest sr = mc.get(MessageContext.SERVLET_REQUEST);

    /* works if this is a HTTP(s) request */
    if (sr != null && sr instanceof HttpServletRequest) {
        final HttpServletRequest hsr = (HttpServletRequest) sr;
        hsr.getSession(true);

        /* ... */

    } else {
        /* do some exceptional stuff */
    }

}

The session created above should behave in exactly the same way as a 'standard' web session. You must make sure that your clients understand that as well. They have to submit the session identifier (cookie) on each subsequent call.

Answer 2

• Web Service does not support session state for achieving high scalability, web service is designed stateless.
• Session state handling is not a part of SOAP specification. The cookie stores a token which acts as session identifier. There are a number of ways to pass the session identifier: as an HTTP cookie, as a SOAP header, or as an element in the SOAP message body.
• A SOAP header is transport independent, but it requires the SOAP client and service to agree on the format of the SOAP header, and it required that both the SOAP client and SOAP server implementations support SOAP headers. If you use the SOAP body to pass the session id, then it's up to the service (i.e., your application code) to re-establish the state on each call. Stateful processing can make cross-SOAP interoperability a bit more challenging, but it does work. Check into the capabilities of your SOAP implementation. source

Answer 3

I think you are talking about how to maintain web-services session(state-full web-services).
In this case following link can help you:
https://blogs.oracle.com/sujit/entry/ws_addressing_and_stateful_webservice