0

I have a COTS application(PLM application) which has provided few SOAP APIs to access. Since this SOAP API is highly complex, we are developing a easy to use REST wrapper service. Before invoking any API in my COTS application, authentication API needs to be invoked. In my REST wrapper web service, I have a login resource which invokes COTS SOAP login API. To keep things simple for my API users, I store the logged in user details in user session. In every other REST resoruces, I retrieve the session and check whether session has user details. If yes, I proceed and invoke the SOAP API. if not, I return proper HTTP status code. I use Apache CXF for service and client. I mandate my APIusers to maintain the session in the client like this

WebClient.getConfig(client).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);

In every REST tutorials, it said REST is stateless. I am doubtful whether what I am doing is correct as per REST standards. Please suggest. Thanks

user131476
  • 422
  • 7
  • 20
  • Just for my information: what will `Message.MAINTAIN_SESSION` do in your case? Copy the cookie from REST server response to next request? – dma_k Feb 18 '12 at 01:57

2 Answers2

0
client.getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE)

This code causes cookies to be maintained in that specific client only. If you want those cookies be available in another client, it needs to be programmed. And if the second client receives additional cookies and you want those cookies available in the first client too, how is that possible?

I need something like a root client that maintains cookies of all sub clients. All cookies must be shared among all clients. Like a shared cookie repository for all clients. Does anyone know how to achieve this?

Ajinkya
  • 22,324
  • 33
  • 110
  • 161
Hooman Valibeigi
  • 95
  • 1
  • 7
  • I was able to do it with interceptors. Two interceptors are required. One is added to the inboud chain and looks in every request for Set-Cookie headers. It then stores them in a map that is shared with the outbouad interceptor. The outbouad interceptor adds cookies to every outgoing http request. With these two interceptors you can share cookies across any client/proxy instances. If you go this way, you don't need the MAINTAIN_SESSION anymore. – Hooman Valibeigi Jun 17 '14 at 13:14
0

Basically the idea of REST is a stateless interface. However it is common practice to use some kind of authentication for API calls since most of the time not all resources should be public (e.g. the timeline of a twitter user over the twitter API)

Therefore it is ok if you do some kind of authentication and validate a session on further requests (or maybe authenticate with every single request, e.g. with HTTP Basic Access Authentication) to check if access should be granted.

Not part of this and not the idea of a RESTful API would be to store complex session information that would really make the whole thing stateful. This for example includes storage of information of an older request for processing together with one following later.

s1lence
  • 2,188
  • 2
  • 16
  • 34