0


I have an applet loaded by browser.
This applet makes web service calls to server.
If I sign the applet and download it via https by the server, if then I make a web service call, would it be possible to reuse the existing ssl session or will the https would have to be reestablished?
I think that the https (i.e. ssl handshake) would have to be reestablished since the initial connection was made by browser. Is this the case?
If yes, then is there a way to avoid reauthentication when the user starts using the applet? I.e. reuse the previous ssl connection, or is it impossible? BTW the web service stack is axis2.

Thanks

Cratylus
  • 52,998
  • 69
  • 209
  • 339

1 Answers1

2

https and authentification are different things. Of course they are working together when you authentificate with user/password over https.

https can be used for authentification when client authentification is enabled. So the client must send a valid (signed) certificate to the server. But i supose you have a user/password over https authentifation method.

Once the browser has logged in, normally the server creates and holds a session and the browser receives a session cookie. That cookie will be send on consecutive requests after login (still encrypted by https).

If you pass the session cookie to the applet the applet can reuse the session.

Update

Impossible to explain you this in detail. You should search and read for Java Applet communication.

  • You can call methods of the applet from javascript and access the web page/browser state from the applet (Applet.getAppletContext()).

  • You may call the applet with a parameter that contains the session id.

The session cookie name may be JSESSIONID when the web server is a servlet container.

If your web server is a servlet container then you can pass the session id in diferent ways: as cookie in the request header or coded into the URL (URL rewriting).

Community
  • 1
  • 1
PeterMmm
  • 24,152
  • 13
  • 73
  • 111
  • Interesting.How would I get that session cookie from the browser though?Also how would I pass it to the web service stack I am using, to send the cookie in the connections back to the server?I do not know!Could you please elaborate on how to do this? – Cratylus Jan 19 '11 at 17:12
  • Ok, I think I understand what you mean.But is JSESSIONID indeed used by server for SSL? – Cratylus Jan 22 '11 at 08:39
  • The name for the session cookie JSESSIONID comes from the Java Servlet specification (when you create a session in your servlet the server response will include a session cookie with name JSESSIONID). It has nothing to do with SSL at all. http://stackoverflow.com/questions/595872/under-what-conditions-is-a-jsessionid-created – PeterMmm Jan 22 '11 at 09:35
  • What you say makes sense.I will accept this as the answer,but I can not be sure until I try it. – Cratylus Jan 22 '11 at 12:47