Session management for a web service
I am building a web service where the user will need to login and the application will need to maintain a persistent session. I am using Apache Axis2 for client/server communication via SOAP/XML. What would the simplest and most common way of doing this? I know I could implement session management from scratch similarly to how a browser does it, using cookies, but I'd rather use standard Java libraries for this. Am I correct in assuming that even though I'm using Axis2, the solution doesn't really have anything to do with Axis2 since Axis2 is basically just a way for the client/server to send messages to each other?
I've read a lot of information online about this, but there's so much information that it's hard to know where to start. Basically I'm just looking for someone to point me in the right direction on what classes to use and so on. I just need a simple username password authentication and session management system for a web service.
Container Managed Authentication. Does everything you need.
Similar Messages
-
Using Identity Management for Securing Web Services
My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
(My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
Here is what I did:
1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
2. I made a data control for the web service and put it in an ADF application . (client)
3. I deployed the client project(2) to OC4J.
I could use the web service through the page.
Then
I secured the webservice to expect SAML for authentication.
Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
4.
I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
to one of the configuration files, but don't know where exactly.
Best Regards,
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
Session Pooling for CRMoD - Web services.
Hi,
We have a Java application which fetches the Contact Data on the basis of the Phone Number in CRMoD, using web services. (it happens on a hyperlink click).
Before fetching the contact data, we establish the session between our app and CRMoD using the URL - https://<pod>.crmondemand.com/Services/Integration?command=login.
The jsessionId is retrieved and then used for subsequent interaction with the web services.
However, everytime any user clicks on the hyper link...the entire process is executed right form the connection establishment to fetchng the contact data.
This results in a lot of time for the entire process to execute (roughly around 6-7 seconds).
We would like to reduce the time , possibly by implementing a connection pooling for the login.
Can any one suggest how to implement a sesision pool for the JsessionId that is returned from CRMoD ?
Regards,
Bibin.You should definitely move to STATELESS web services for this and not STATEFUL. You also get a bit of scalability also.
If you were to pass the SESSIONID around to multiple processes (or one that was threaded), you might still get RIP (ie, concurrency timeouts) errors. By using the STATELESS approach to web services, you get the built in connection pooling plus an automatic handler for concurrency/queueing.
In the STATELESS, all of your processes just supply the USERID/PASSWORD in the call. CRMOD decides whether an existing POOLed connection is used. You actually have to do less in terms of management this way.
We implemented an external facing web application for a client that used a single USERID/PASSWORD to "confirm" an Appointment that was established via STATELESS connections.
Mychal Manie
Hitachi Consulting - Oracle Practice -
Session management and java Web Service
Hi ,
Can I have two web services one based on Session bean and other on Simple java class, packaged into single ear file? Does NetWeaver supports web service session management/tracking? How can I get an handle to HttpRequest in my Web Service?
Any help will be appreciated.
Thanks in advance
regards,
rajinderContainer Managed Authentication. Does everything you need.
-
Implementation of session handling for using web services
Hi,
I would like to use session handling in web services using ABAP stack in order to start the session with an user login function followed by other RFC calls till a user logout. So far, I found only the following help note in the SAP online help:
Interface Profile
In the interface profile, choose the required processing type: Stateful or Stateless.
A stateful service retains its status within the framework of a HTTP session throughout several calls form the same service consumer. The standard value for services is Stateless.If you require stateful communication, you can choose this instead.
[http://help.sap.com/saphelp_nwpi71/helpdata/de/45/25291b5a2657c0e10000000a1553f7/content.htm |http://help.sap.com/saphelp_nwpi71/helpdata/en/45/25291b5a2657c0e10000000a1553f7/content.htm]
Please, could someone explain me the further required steps of SAPs session handling idea cause just settting the status to stateful is still not the solution itself...
Regards,
JensNow, I found the possible scenarios, suggest by SAP Help, regarding security for Web Services ([http://help.sap.com/saphelp_nw73/helpdata/en/48/8ebbba66be06b2e10000000a42189b/content.htm|http://help.sap.com/saphelp_nw73/helpdata/en/48/8ebbba66be06b2e10000000a42189b/content.htm]):
- SAML & WS SecureConversation -> SSO
- WS Security UsernameToken & WS SecureConversation
- User ID and Password in HTTP Header & HTTPS
- SAP Authentication Assertion Ticket & HTTPS -> SSO
- X.509 SSL Client Certificate through HTTPS
- WS Security: X.509 Certificate Authentication at Message Level
Are scenarios with SSO the solution for creating sessions!? -
Create a session for a web service in jdeveloper10g
Hi All,
Question 1: How to create a session for a java web service created in jdeveloper10g.
Question 2: How to restrict a particular user for accessing a java web service.
I have done this by using key store. But when creating the java web service client, again we have to configure the key store, which should not happen in my case. Hence i like to create a method for login in a web service, create a session id for the user if he is a valid user and send the session id back to web service client. Using the session id they can access other methods in the web service.
Can any one suggest how I can accomplish this. Thanks in advance.I don't know this can be disscussed or not.
Please delete my topic if this can't be disscussed here.
Thank you. -
Re: (forte-users) Session management for page builder(fwd)
Jaco,
Hope this helps,
John
John Soper, Information Systems Development, ITS, The University of Melbourne
email: j.soperits.unimelb.edu.au >>>> Tel: 9344 5612---------- Forwarded message ----------
Date: Mon, 10 Jan 2000 16:34:31 +1100
From: Lyle Winton <L.Wintonits.unimelb.edu.au>
To: John Soper <j.soperits.unimelb.edu.au>
Subject: Re: (forte-users) Session management for page builder (fwd)
Why not construct an intermediate page after the
login page that has SESSION_UNSPECIFIED and
a refresh META tag. The page can then refresh
to either the login failed or login succeeded pages
depending on how the login went! Looks like...
1) Login page (SESSION_UNSPECIFIED)
2A) Refresh page (SESSION_UNSPECIFIED)
< HTML >
< HEAD >
< META http-equiv="refresh"
content="0;URL=<a href=
"http://www.blah.com/forte.cgi?PageName=3">http://www.blah.com/forte.cgi?PageName=3</a>" >
< /HEAD >
< BODY >
Login succeeded. Please wait...
< /BODY >
< /HTML >
2B) Refresh page (SESSION_UNSPECIFIED)
< HTML >
< BODY >
Login failed.
< /BODY >
< /HTML >
3) We're finally in. (SESSION_REQUIRED)
I'm not sure if this works on internet exploder.
Lyle.
John Soper wrote:
Lyle,
(Post from forte mailing group)
Does this make sense to you?
John
John Soper, Information Systems Development, ITS, The University of Melbourne
email: j.soperits.unimelb.edu.au >>>> Tel: 9344 5612---------- Forwarded message ----------
Date: Thu, 30 Dec 1999 07:54:24 +0200
From: "Jaco Erasmus (home)" <jacoerasmweb.co.za>
To: kamranaminyahoo.com
Subject: (forte-users) Session management for page builder
Hi everybody,
We have a lot of legacy code making use of the page builder service to
produce web pages. These pages were originally written without session
management. I'm now busy adding session management to them, but there is
one problem with this approach and I will appreciate if someone can shed
some light on it. Here it is:
Page one is submitted.
Some validation (authentication) takes place and depending on the outcome,
either page 2A (SESSION_REQUIRED) or 2B (error page with
SESSION_UNSPECIFIED) must be displayed. In order to implement this, I
needed a place to make a decision. The way I've done it, is to pass a
'virtual page' (SESSION_UNSPECIFIED) to the page builder service. The
validation is done here and request.PageName is then replaced with the
PageName of pages 2A or 2B. The HandleRequest() method is then called
again. The problem is that the ValidateSession() method does not get
invoked again, thus allowing 2A through without a session. How do I make
sure that the ValidateSession() method get invoked again?
The approach making use of templates look to me as if it has all the means
to do this (redirect tag), but I don't want to rewrite everything if I
don't have to. Is there a way that a pagebuilder page can be specified by
the redirect tag? This will definitely help, but so far I've only managed
to call templates from the redirect tag.
Is the template approach better suited for session management? It is
definetely better documented...
Regards.
Jaco
For the archives, go to: http://lists.sageit.com/forte-users and use
the login: forte and the password: archive. To unsubscribe, send in a new
email the word: 'Unsubscribe' to: forte-users-requestlists.sageit.comHi,
i hope this helps
http://help.sap.com/saphelp_nw70/helpdata/EN/7e/aa610cc1dd8f4388b1df02fc362f0f/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/69/c250754ba111d189750000e8322d00/frameset.htm
regards,
Anil. -
Mapping input values for a web service connection to a range of cells
I've created a web service connection in Xcelsius data manager. My web service requires an array of integer as input parameter. How do I map input values for a web service connection to read from a range of cells in the spreadsheet, e.g. $A$2:$A$20, in similar way of mapping output values to write to a range of cells in the spreadsheet?
For output values of the web service, I can specify to map the output values to write to a range of cells. However, it doesn't seem to work for reading the input values.
I can map input values for each node to a single cell, e.g. $A$2, in the spreadsheet. However, when I set the "Read From" field to a range of cells, e.g. $A$2:$A$20, it only reads in the first value in the range.
Is there any way that we can do this mapping for input values as we do for output values?
Your assistance is very much appreciated.
Regards,
VanVan,
There is a workaround for that...
Example:
My Webservice accepts input data range in a specific format with " :" symbol, i.e. 072008:082008
Now what i do is
A1 = 072008
A2 = 082008
A3 = CONCATENATE(A1,":",A2)
so A3 = 072008:082008
Now i map the input value in web service to cell A3
P.S have 2 input box components and map it to cells A1 and A2, i.e you are giving users an option to enter the range of values...then web service will capture the range and refreshes data with the range of values user entered.
hope this helps..
-Anil -
(268625273) Q WSI-29 Can you give any performance benchmarks for WLS web services?
Q<WSI-29> Can you give any performance benchmarks for WLS web services?
A<WSI-29>: It is very difficult to quantify performance aspects of web services
since they depend on so many variables including but not limited to: backend system
processing by stateless session beans and message driven beans, size of XML SOAP
message sent, system hardware (CPU speed, parallel processing, RAM speed) and
system software (JVM type and version of WebLogic server). However, let me point
out that the EJB backend processing of requests both have the best possible scalability
within the EJB2.0 specification (both stateless session and message driven beans
can be pooled) and servlets have a proven scalable track record. Thus it should
be possible to scale your web service deployment to meet demand. The overhead
in processing XML within the servlet can be significant depending on the size
of XML data (either as a parameter or a return type). While WLS6.1 does not have
any features to address this performance concern, WLS7.0 will feature Serializer
and Deserializer classes which can be dedicated to the XML to Java and Java to
XML translation (they can also be automatically be generated from a DTD, XML Schema
or regular JavaBean).
It is true that web services are not the fastest way to process client requests
but BEA is committed to making WebLogic server the fastest possible service provider.
Adamsee http://www.oracle.com/support/products/oas/sparc30/html/ows08811.html
-
We are using the Azure server for our web services. Server is generating an error "Unable to connect to the remote server". What is this error means
Hello,
Did you means that you use the Windows Azure Virtual Machine DNS name as the server name in the Reporting Server Web Services URL?
For example:
Report server:http://uebi.cloudapp.net/reportserver
Report manager:http://uebi.cloudapp.net/reports
If you want to connect to Report Manager on the virtual machine from a remote computer, you should create a virtual machine TCP Endpoint and open the port in the virtual machine’s firewall. By default, the report server listens for HTTP requests
on port 80.
Reference:http://msdn.microsoft.com/en-us/library/jj992719.aspx#bkmk_ssrs_connect_2_remote_RM
Regards,
Fanny Liu
Fanny Liu
TechNet Community Support -
Cannot connect Service Manager with Orchestrator Web Service URL
Dear TechNet User,
i cannot connect my service manager console with my Orchestrator Webservice. i try to connect to "http://AMSCO01:81/Orchestrator.svc" ... the user i´ve choose is local admin on the orchestrator Machine.
Thats the Logfile:
Date: 07.10.2013 15:23:16
Application: System Center Service Manager
Application Version: 7.5.2905.0
Severity: Error
Message: Could not connect to the Orchestrator web service.
System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
at System.Data.Services.Client.QueryResult.Execute()
at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, QueryComponents queryComponents)
--- End of inner exception stack trace ---
at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, QueryComponents queryComponents)
at System.Data.Services.Client.DataServiceQuery`1.Execute()
at System.Data.Services.Client.DataServiceQuery`1.GetEnumerator()
at Microsoft.EnterpriseManagement.ServiceManager.Sdk.Connectors.OrchestratorRunbookConnector.GetRunbookFolders(OrchestratorContext scoContext, Folder parentFolder)
at Microsoft.EnterpriseManagement.ServiceManager.UI.Administration.Connectors.Orchestrator.OrchestratorConnectorHelper.ValidateServerConnection(Boolean found)
System.Data.Services.Client.DataServiceClientException: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
at System.Data.Services.Client.QueryResult.Execute()
at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, QueryComponents queryComponents)
any ideas? Thank you very much!Hi,
I am unable to connect to
http://hostname:81/Orchestrator2012/Orchestrator.svc/ in IE and am getting the same error while creating the connector.
I can connect to orchestrator via http://hostname:81/ but it still gives me the same error when I create the connector (Cannot connect Service Manager with Orchestrator Web Service).
anyone seen it before? -
Doc for 10g Web Services for EJBs
I'm trying to determine if any documentation exists for 10gAS that discusses how to publish a statless session bean as a web service. The only thing I'm found so far is a tutorial called "Expose a Stateless Session EJB as a Web Service Endpoint through JAX-RPC interface", but I've found it lacking in detail and possibly incorrect. For example, it mentions a wsadmin tool that I don't see in the 10gAS release and it discusses how files like mapping.xml and webservices.xml can be created by JDeveloper. However, the 10g JDeveloper I downloaded doesn't see to support this.
Unfortunately the doc is the how-tos right now. However, there are a couple of pointers - this article by Anirban Chatterjee - http://otn.oracle.com/tech/webservices/htdocs/j2ee14/jsr109.html - describes the configuration behind it.
The JDeveloper interface is on the cusp of being released - it is just going through QA. I have written a tutorial on what it looks like here:
http://otn.oracle.com/tech/webservices/htdocs/series/jaxrpc1/index.html
But this tutorial is not linked publicly yet because it isn't released ... when the extension becomes available this link will be hooked up publicly. Please treat it as a preview right now.
Could you describe the errors that you are encountering. There are a number of bugs that we have been collecting with the preview and we hope to do a refresh soon. It would be good to know if yours is a known one or not.
Mike. -
Please give me your opinion... about tools for develop web service
If you would like to choose the tool for develop web service.
what is the most important feature that you will consider,
Please help me to order these topic from the most to the least
a. creating web service
b. creating web service client
c. searching web service to UDDI registry
d. publish web service to UDDI registry
e. connecting to database management systems.
f. license fee
g.system requirements
h. Installation procedures
thank you very much for your opinion. I will keep your information for my research....
:)Hi Fangnaka,
You can use JWDSP2.0 + Tomcat 5.X +Jdk1.5 to develop and deploy webservice.
Better IDEA are Intellij or Eclipse for webservice code development.
Cheers
Rajesh R -
Best Practice for Securing Web Services in the BPEL Workflow
What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
What are the different messages that OCOD may return for a web service requ
Hi,
Please give me feedback on the questions below, concerning the limitations of web service, and messages which may return.
1) What are the different messages that OCOD may return for a web service request? I need all the messages of all the scenarios which OCOD can meet, for example:
- If the file is rejected (Error message)
- If the file is accepted (to clarify that the records have been created)
- if the application is unavailable (maintenance or web service is down)
2) How many request can we send simultaneously, and how many records we can make per second?
Best Regard,Have a look here Jquery slideshow tutorial for beginners | WEBTUTS
Maybe you are looking for
-
Hi everone just wanted to let you know my expierence with ordering the 3GS. So like most of you I was excited to hear about the new iPhone and jumped at the opportunity to have one in my hands come 6/19. My husband and I were upgrading from the origi
-
How to get tabs in screen painter?
Hi friends i am having 3 screens with numbers 100, 200, 300. I want to make this 3 screens into tabs like basicdata1, basicdata2 in mm02. Like when i click basicdata1 it has to open basicdata1 screen. Please can anyone share me the solution
-
After getting a new iPhone 4S, one of my apps won't work
I have just had my iPhone 4S replaced by apple and have restored everything from my old phone. One of my apps now tries to load but then shuts. It still works on m iPad. Should I delete it on my mobile and reinstall? I am worried I'll lose any progr
-
Hi I have been developing components for normal websites using CQ. But now i want to create a mobile site . I checked the http://dev.day.com/docs/en/cq/current/developing/mobile.html for help. I was able to create a normal page . But it is not gi
-
Oracle 9i with SUN 2.9!!
I am trying to install Oracle 9.0.1 on Solaris 9.0 I got following for the version compatiblity : OS Product Certified With Version Status Addtl. Info. Components Other Install Issue 2.6 9.0.1 N/A N/A Desupported Yes None N/A N/A 9 9.0.1 N/A N/A Desu