11

In case if user works with web application via web browser, the user's session is managed by application server. It takes care of sessions creation, validation, timeouts, disposings, etc.

And as far as I know there is no such mechanisms in the other case, if user works with app via remote client and uses SOAP web services.

So the question is, how can we manage users' sessions in case of web services and implement the same mechanisms of session management such as invalidation, prolongation, disposing?

Vladimir Salin
  • 2,951
  • 2
  • 36
  • 49

3 Answers3

10

Assuming you use JAX-WS and SOAP/HTTP it is possible to work with container managed security (and e.g. session cookies) as well. You just have to inject WebServiceContext in your service. It allows access to all HTTP environment variables:

@Resource
WebServiceContext wsContext;

A detailed example is available here. Of course, your clients must support this as well (if they are JAX-WS based it works). Nevertheless, a rule of thumb is that web services should not maintain any state at all, they should behave stateless. See this on SO.

Edit: You can access the ServletRequest by:

@WebMethod
public void foo() {
    final MessageContext mc = this.wsContext.getMessageContext();
    final ServletRequest sr = mc.get(MessageContext.SERVLET_REQUEST);

    /* works if this is a HTTP(s) request */
    if (sr != null && sr instanceof HttpServletRequest) {
        final HttpServletRequest hsr = (HttpServletRequest) sr;
        hsr.getSession(true);

        /* ... */

    } else {
        /* do some exceptional stuff */
    }

}

The session created above should behave in exactly the same way as a 'standard' web session. You must make sure that your clients understand that as well. They have to submit the session identifier (cookie) on each subsequent call.

Community
  • 1
  • 1
home
  • 12,468
  • 5
  • 46
  • 54
  • So if I not mistaken I can only `get` context with help of `WebServiceContext`. Is it possible, for example, create new session and somehow store it container? – Vladimir Salin Nov 08 '11 at 06:29
  • 1
    @sainr: If I remember correctly - yes. I'll modify my answer. – home Nov 08 '11 at 06:32
  • @home So then applications utilizing a WS as the back-end maintain their session solely through the front-end e.g. localStorage? – Honinbo Shusaku Aug 16 '16 at 13:00
  • I thought using browser storage was bad because it can overwritten by other applications using it, and it has to be encrypted, whereas on the server, it won't be overwritten – Honinbo Shusaku Aug 16 '16 at 13:16
  • @Abdul: in this scenario a client is not necessarily a browser, it could be a server-side component as well (probably this is the common case for SOAP based WS). Second, a cookie is directly managed by the browser. Third, a session cookie does not contain the state, it is a reference to the server's state management. – home Aug 18 '16 at 09:10
2
  • Web Service does not support session state for achieving high scalability, web service is designed stateless.
  • Session state handling is not a part of SOAP specification. The cookie stores a token which acts as session identifier. There are a number of ways to pass the session identifier: as an HTTP cookie, as a SOAP header, or as an element in the SOAP message body.
  • A SOAP header is transport independent, but it requires the SOAP client and service to agree on the format of the SOAP header, and it required that both the SOAP client and SOAP server implementations support SOAP headers. If you use the SOAP body to pass the session id, then it's up to the service (i.e., your application code) to re-establish the state on each call. Stateful processing can make cross-SOAP interoperability a bit more challenging, but it does work. Check into the capabilities of your SOAP implementation. source
Premraj
  • 72,055
  • 26
  • 237
  • 180
2

I think you are talking about how to maintain web-services session(state-full web-services).
In this case following link can help you:
https://blogs.oracle.com/sujit/entry/ws_addressing_and_stateful_webservice

jaxb
  • 2,077
  • 3
  • 20
  • 32