Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I manage users' sessions when I use web services?

In case if user works with web application via web browser, the user's session is managed by application server. It takes care of sessions creation, validation, timeouts, disposings, etc.

And as far as I know there is no such mechanisms in the other case, if user works with app via remote client and uses SOAP web services.

So the question is, how can we manage users' sessions in case of web services and implement the same mechanisms of session management such as invalidation, prolongation, disposing?

like image 332
Vladimir Salin Avatar asked Nov 07 '11 12:11

Vladimir Salin


People also ask

Can we maintain user session in web services?

By default, web service does not support session state. For achieving high scalability, web service is designed stateless. Suppose the requirement is to use session management in a web service to retain user specific information, you need to use the session in your web service.

How user session is managed in Web application?

Sessions are maintained automatically by a session cookie that is sent to the client when the session is first created. The session cookie contains the session ID, which identifies the client to the browser on each successive interaction.

What is session in web services?

A Session is one of the server-side state management techniques that stores the user specific data across the user request. By default a session is not enabled in a web service; we need to enable it using the following procedure. The default time out of the session is 20, the same as any web application.


3 Answers

Assuming you use JAX-WS and SOAP/HTTP it is possible to work with container managed security (and e.g. session cookies) as well. You just have to inject WebServiceContext in your service. It allows access to all HTTP environment variables:

@Resource
WebServiceContext wsContext;

A detailed example is available here. Of course, your clients must support this as well (if they are JAX-WS based it works). Nevertheless, a rule of thumb is that web services should not maintain any state at all, they should behave stateless. See this on SO.

Edit: You can access the ServletRequest by:

@WebMethod
public void foo() {
    final MessageContext mc = this.wsContext.getMessageContext();
    final ServletRequest sr = mc.get(MessageContext.SERVLET_REQUEST);

    /* works if this is a HTTP(s) request */
    if (sr != null && sr instanceof HttpServletRequest) {
        final HttpServletRequest hsr = (HttpServletRequest) sr;
        hsr.getSession(true);

        /* ... */

    } else {
        /* do some exceptional stuff */
    }

}

The session created above should behave in exactly the same way as a 'standard' web session. You must make sure that your clients understand that as well. They have to submit the session identifier (cookie) on each subsequent call.

like image 177
home Avatar answered Oct 23 '22 05:10

home


  • Web Service does not support session state for achieving high scalability, web service is designed stateless.
  • Session state handling is not a part of SOAP specification. The cookie stores a token which acts as session identifier. There are a number of ways to pass the session identifier: as an HTTP cookie, as a SOAP header, or as an element in the SOAP message body.
  • A SOAP header is transport independent, but it requires the SOAP client and service to agree on the format of the SOAP header, and it required that both the SOAP client and SOAP server implementations support SOAP headers. If you use the SOAP body to pass the session id, then it's up to the service (i.e., your application code) to re-establish the state on each call. Stateful processing can make cross-SOAP interoperability a bit more challenging, but it does work. Check into the capabilities of your SOAP implementation. source
like image 44
Premraj Avatar answered Oct 23 '22 05:10

Premraj


I think you are talking about how to maintain web-services session(state-full web-services).
In this case following link can help you:
https://blogs.oracle.com/sujit/entry/ws_addressing_and_stateful_webservice

like image 41
jaxb Avatar answered Oct 23 '22 05:10

jaxb