Announcement Announcement Module
Collapse
No announcement yet.
SOAP-based session handling? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SOAP-based session handling?

    What is best practice to realize SOAP-based session handling with Spring-WS?

    br mindy

  • #2
    The easiest way would be to give your beans session scope in the application context.

    Comment


    • #3
      Yeah but would that be appropriate for SOAP since it is transport agnostic? From what I've read on the Spring docs session scope is for HTTP Sessions. Future releases of Spring-WS will support transports other than HTTP. Am I misunderstanding something?

      Edit: If it is any help, we have one method in a service that accepts a username/password, that returns a byte[] (GUID). That gets passed into every other serivce/method and a @Before @Aspect gets fired to check the validity of the byte[].

      Comment


      • #4
        thanks for your replies.

        my approach was to use authentication via spring security over soap header supporting the ws-security standard to be independent from the transport layer.

        the problem is now that after a user has been authenticated, the user details are loaded from ldap and the authentication is stored into SecurityContextHolder. for further requests from the same user it would be beneficial to avoid loading the user details from ldap again. so i thought of some kind of soap-based session handling to store the authentication info between the requests.

        @ arjen: using bean session scope is not satisfying, because of the transport layer constraint. is there an alternative to be independent from http?

        @ mmccaskill: using a guid works like http session handling? it would be a "selfmade" solution without supporting standards. combining ws-security standard with your suggestion -- maybe...

        Comment


        • #5
          Originally posted by mindy View Post
          @ mmccaskill: using a guid works like http session handling?
          Kind of. But SOAP can use more than HTTP. TCP/IP, JMS, etc. So I'm not sure using Spring session scope is appropriate unless you aren't going to switch transports.

          Originally posted by mindy View Post
          it would be a "selfmade" solution without supporting standards. combining ws-security standard with your suggestion -- maybe...
          Possibly. Honestly I haven't the time to research how to do properly do what I am doing with WS-Security. And although the-powers-that-be think that by using SOAP (possibly other kinds like REST) we could sell this system, I don't see that happening. At least in the first released version. So we would be the only client using our web services.

          Comment


          • #6
            Hello All,

            I think you started a very interesting discussion. I did some thinking about the same problems and I was astonished to see that I am not the only one.
            Actually my architecture is quite similar to the one of mindy.

            I looked around and found mainly two possibilites (at least if you want to stick to a standard):
            - WS-Session .. but I think this standard is not very widly known
            - WS-Addressing .. has a message corralation feature that would allow to express that a certain message relates to the sign-in message. With this you could load the context.

            I would be interested on your opinons about this aproach?

            Tobias

            Comment

            Working...
            X