Session management for a web service

I am building a web service where the user will need to login and the application will need to maintain a persistent session. I am using Apache Axis2 for client/server communication via SOAP/XML. What would the simplest and most common way of doing this? I know I could implement session management from scratch similarly to how a browser does it, using cookies, but I'd rather use standard Java libraries for this. Am I correct in assuming that even though I'm using Axis2, the solution doesn't really have anything to do with Axis2 since Axis2 is basically just a way for the client/server to send messages to each other?
I've read a lot of information online about this, but there's so much information that it's hard to know where to start. Basically I'm just looking for someone to point me in the right direction on what classes to use and so on. I just need a simple username password authentication and session management system for a web service.

Container Managed Authentication. Does everything you need.

Similar Messages

  • Using Identity Management for Securing Web Services

    My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
    (My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
    Here is what I did:
    1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
    2. I made a data control for the web service and put it in an ADF application . (client)
    3. I deployed the client project(2) to OC4J.
    I could use the web service through the page.
    Then
    I secured the webservice to expect SAML for authentication.
    Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
    4.
    I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
    5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
    I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
    to one of the configuration files, but don't know where exactly.
    Best Regards,
    Farbod

    It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
    The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
    Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
    If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
    Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
    You can enforce rules at your network layer to allow access to the App server only from Gateway.
    When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
    The next BPEL developer in your project may not be aware of Security extensions
    Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
    Thanks
    Ram

  • Session Pooling for CRMoD - Web services.

    Hi,
    We have a Java application which fetches the Contact Data on the basis of the Phone Number in CRMoD, using web services. (it happens on a hyperlink click).
    Before fetching the contact data, we establish the session between our app and CRMoD using the URL - https://<pod>.crmondemand.com/Services/Integration?command=login.
    The jsessionId is retrieved and then used for subsequent interaction with the web services.
    However, everytime any user clicks on the hyper link...the entire process is executed right form the connection establishment to fetchng the contact data.
    This results in a lot of time for the entire process to execute (roughly around 6-7 seconds).
    We would like to reduce the time , possibly by implementing a connection pooling for the login.
    Can any one suggest how to implement a sesision pool for the JsessionId that is returned from CRMoD ?
    Regards,
    Bibin.

    You should definitely move to STATELESS web services for this and not STATEFUL. You also get a bit of scalability also.
    If you were to pass the SESSIONID around to multiple processes (or one that was threaded), you might still get RIP (ie, concurrency timeouts) errors. By using the STATELESS approach to web services, you get the built in connection pooling plus an automatic handler for concurrency/queueing.
    In the STATELESS, all of your processes just supply the USERID/PASSWORD in the call. CRMOD decides whether an existing POOLed connection is used. You actually have to do less in terms of management this way.
    We implemented an external facing web application for a client that used a single USERID/PASSWORD to "confirm" an Appointment that was established via STATELESS connections.
    Mychal Manie
    Hitachi Consulting - Oracle Practice

  • Session management and java Web Service

    Hi ,
    Can I have two web services one based on Session bean and other on Simple java class, packaged into single ear file? Does NetWeaver supports web service session management/tracking? How can I get an handle to HttpRequest in my Web Service?
    Any help will be appreciated.
    Thanks in advance
    regards,
    rajinder

    Container Managed Authentication. Does everything you need.

  • Implementation of session handling for using web services

    Hi,
    I would like to use session handling in web services using ABAP stack in order to start the session with an user login function followed by other RFC calls till a user logout. So far, I found only the following help note in the SAP online help:
    Interface Profile
    In the interface profile, choose the required processing type: Stateful or Stateless.
    A stateful service retains its status within the framework of a HTTP session throughout several calls form the same service consumer. The standard value for services is Stateless.If you require stateful communication, you can choose this instead.
    [http://help.sap.com/saphelp_nwpi71/helpdata/de/45/25291b5a2657c0e10000000a1553f7/content.htm |http://help.sap.com/saphelp_nwpi71/helpdata/en/45/25291b5a2657c0e10000000a1553f7/content.htm]
    Please, could someone explain me the further required steps of SAPs session handling idea cause just settting the status to stateful is still not the solution itself...
    Regards,
    Jens

    Now, I found the possible scenarios, suggest by SAP Help, regarding security for Web Services ([http://help.sap.com/saphelp_nw73/helpdata/en/48/8ebbba66be06b2e10000000a42189b/content.htm|http://help.sap.com/saphelp_nw73/helpdata/en/48/8ebbba66be06b2e10000000a42189b/content.htm]):
    - SAML & WS SecureConversation -> SSO
    - WS Security UsernameToken & WS SecureConversation
    - User ID and Password in HTTP Header & HTTPS
    - SAP Authentication Assertion Ticket & HTTPS -> SSO
    - X.509 SSL Client Certificate through HTTPS
    - WS Security: X.509 Certificate Authentication at Message Level
    Are scenarios with SSO the solution for creating sessions!?

  • Create a session for a web service in jdeveloper10g

    Hi All,
    Question 1: How to create a session for a java web service created in jdeveloper10g.
    Question 2: How to restrict a particular user for accessing a java web service.
    I have done this by using key store. But when creating the java web service client, again we have to configure the key store, which should not happen in my case. Hence i like to create a method for login in a web service, create a session id for the user if he is a valid user and send the session id back to web service client. Using the session id they can access other methods in the web service.
    Can any one suggest how I can accomplish this. Thanks in advance.

    I don't know this can be disscussed or not.
    Please delete my topic if this can't be disscussed here.
    Thank you.

  • Re: (forte-users) Session management for page builder(fwd)

    Jaco,
    Hope this helps,
    John
    John Soper, Information Systems Development, ITS, The University of Melbourne
    email: j.soperits.unimelb.edu.au >>>> Tel: 9344 5612---------- Forwarded message ----------
    Date: Mon, 10 Jan 2000 16:34:31 +1100
    From: Lyle Winton <L.Wintonits.unimelb.edu.au>
    To: John Soper <j.soperits.unimelb.edu.au>
    Subject: Re: (forte-users) Session management for page builder (fwd)
    Why not construct an intermediate page after the
    login page that has SESSION_UNSPECIFIED and
    a refresh META tag. The page can then refresh
    to either the login failed or login succeeded pages
    depending on how the login went! Looks like...
    1) Login page (SESSION_UNSPECIFIED)
    2A) Refresh page (SESSION_UNSPECIFIED)
    < HTML >
    < HEAD >
    < META http-equiv="refresh"
    content="0;URL=<a href=
    "http://www.blah.com/forte.cgi?PageName=3">http://www.blah.com/forte.cgi?PageName=3</a>" >
    < /HEAD >
    < BODY >
    Login succeeded. Please wait...
    < /BODY >
    < /HTML >
    2B) Refresh page (SESSION_UNSPECIFIED)
    < HTML >
    < BODY >
    Login failed.
    < /BODY >
    < /HTML >
    3) We're finally in. (SESSION_REQUIRED)
    I'm not sure if this works on internet exploder.
    Lyle.
    John Soper wrote:
    Lyle,
    (Post from forte mailing group)
    Does this make sense to you?
    John
    John Soper, Information Systems Development, ITS, The University of Melbourne
    email: j.soperits.unimelb.edu.au >>>> Tel: 9344 5612---------- Forwarded message ----------
    Date: Thu, 30 Dec 1999 07:54:24 +0200
    From: "Jaco Erasmus (home)" <jacoerasmweb.co.za>
    To: kamranaminyahoo.com
    Subject: (forte-users) Session management for page builder
    Hi everybody,
    We have a lot of legacy code making use of the page builder service to
    produce web pages. These pages were originally written without session
    management. I'm now busy adding session management to them, but there is
    one problem with this approach and I will appreciate if someone can shed
    some light on it. Here it is:
    Page one is submitted.
    Some validation (authentication) takes place and depending on the outcome,
    either page 2A (SESSION_REQUIRED) or 2B (error page with
    SESSION_UNSPECIFIED) must be displayed. In order to implement this, I
    needed a place to make a decision. The way I've done it, is to pass a
    'virtual page' (SESSION_UNSPECIFIED) to the page builder service. The
    validation is done here and request.PageName is then replaced with the
    PageName of pages 2A or 2B. The HandleRequest() method is then called
    again. The problem is that the ValidateSession() method does not get
    invoked again, thus allowing 2A through without a session. How do I make
    sure that the ValidateSession() method get invoked again?
    The approach making use of templates look to me as if it has all the means
    to do this (redirect tag), but I don't want to rewrite everything if I
    don't have to. Is there a way that a pagebuilder page can be specified by
    the redirect tag? This will definitely help, but so far I've only managed
    to call templates from the redirect tag.
    Is the template approach better suited for session management? It is
    definetely better documented...
    Regards.
    Jaco
    For the archives, go to: http://lists.sageit.com/forte-users and use
    the login: forte and the password: archive. To unsubscribe, send in a new
    email the word: 'Unsubscribe' to: forte-users-requestlists.sageit.com

    Hi,
    i hope this helps
    http://help.sap.com/saphelp_nw70/helpdata/EN/7e/aa610cc1dd8f4388b1df02fc362f0f/frameset.htm
    http://help.sap.com/saphelp_nw70/helpdata/EN/69/c250754ba111d189750000e8322d00/frameset.htm
    regards,
    Anil.

  • Mapping input values for a web service connection to a range of cells

    I've created a web service connection in Xcelsius data manager. My web service requires an array of integer as input parameter. How do I map input values for a web service connection to read from a range of cells in the spreadsheet, e.g. $A$2:$A$20, in similar way of mapping output values to write to a range of cells in the spreadsheet?
    For output values of the web service, I can specify to map the output values to write to a range of cells. However, it doesn't seem to work for reading the input values.
    I can map input values for each node to a single cell, e.g. $A$2, in the spreadsheet. However, when I set the "Read From" field to a range of cells, e.g. $A$2:$A$20, it only reads in the first value in the range.
    Is there any way that we can do this mapping for input values as we do for output values?
    Your assistance is very much appreciated.
    Regards,
    Van

    Van,
    There is a workaround for that...
    Example:
    My Webservice accepts input data range in a specific format with " :" symbol, i.e. 072008:082008
    Now what i do is
    A1 = 072008
    A2 = 082008
    A3 = CONCATENATE(A1,":",A2)
    so A3 = 072008:082008
    Now i map the input value in web service to cell A3
    P.S have 2 input box components and map it to cells A1 and A2, i.e you are giving users an  option to enter the range of values...then web service will capture the range and refreshes data with the range of values user entered.
    hope this helps..
    -Anil

  • (268625273) Q WSI-29 Can you give any performance benchmarks for WLS web services?

    Q<WSI-29> Can you give any performance benchmarks for WLS web services?
    A<WSI-29>: It is very difficult to quantify performance aspects of web services
    since they depend on so many variables including but not limited to: backend system
    processing by stateless session beans and message driven beans, size of XML SOAP
    message sent, system hardware (CPU speed, parallel processing, RAM speed) and
    system software (JVM type and version of WebLogic server). However, let me point
    out that the EJB backend processing of requests both have the best possible scalability
    within the EJB2.0 specification (both stateless session and message driven beans
    can be pooled) and servlets have a proven scalable track record. Thus it should
    be possible to scale your web service deployment to meet demand. The overhead
    in processing XML within the servlet can be significant depending on the size
    of XML data (either as a parameter or a return type). While WLS6.1 does not have
    any features to address this performance concern, WLS7.0 will feature Serializer
    and Deserializer classes which can be dedicated to the XML to Java and Java to
    XML translation (they can also be automatically be generated from a DTD, XML Schema
    or regular JavaBean).
    It is true that web services are not the fastest way to process client requests
    but BEA is committed to making WebLogic server the fastest possible service provider.
    Adam

    see http://www.oracle.com/support/products/oas/sparc30/html/ows08811.html

  • We are using the Azure server for our web services. Server is generating an error "Unable to connect to the remote server". What is this error means

    We are using the Azure server for our web services. Server is generating an error "Unable to connect to the remote server". What is this error means  

    Hello,
    Did you means that you use the Windows Azure Virtual Machine DNS name as the server name in the Reporting Server Web Services URL?
    For example:
    Report server:http://uebi.cloudapp.net/reportserver
    Report manager:http://uebi.cloudapp.net/reports
    If you want to connect to Report Manager on the virtual machine from a remote computer, you should create a  virtual machine TCP Endpoint and open the port in the virtual machine’s firewall. By default, the report server listens for HTTP requests
    on port 80.
    Reference:http://msdn.microsoft.com/en-us/library/jj992719.aspx#bkmk_ssrs_connect_2_remote_RM
    Regards,
    Fanny Liu
    Fanny Liu
    TechNet Community Support

  • Cannot connect Service Manager with Orchestrator Web Service URL

    Dear TechNet User,
    i cannot connect my service manager console with my Orchestrator Webservice. i try to connect to "http://AMSCO01:81/Orchestrator.svc" ... the user i´ve choose is local admin on the orchestrator Machine.
    Thats the Logfile:
    Date: 07.10.2013 15:23:16
    Application: System Center Service Manager
    Application Version: 7.5.2905.0
    Severity: Error
    Message: Could not connect to the Orchestrator web service.
    System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
    <title>404 - File or directory not found.</title>
    <style type="text/css">
    <!--
    body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
    fieldset{padding:0 15px 10px 15px;}
    h1{font-size:2.4em;margin:0;color:#FFF;}
    h2{font-size:1.7em;margin:0;color:#CC0000;}
    h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
    #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
    background-color:#555555;}
    #content{margin:0 0 0 2%;;}
    .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}
    -->
    </style>
    </head>
    <body>
    <div id="header"><h1>Server Error</h1></div>
    <div id="content">
     <div class="content-container"><fieldset>
      <h2>404 - File or directory not found.</h2>
      <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
     </fieldset></div>
    </div>
    </body>
    </html>
       at System.Data.Services.Client.QueryResult.Execute()
       at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, QueryComponents queryComponents)
       --- End of inner exception stack trace ---
       at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, QueryComponents queryComponents)
       at System.Data.Services.Client.DataServiceQuery`1.Execute()
       at System.Data.Services.Client.DataServiceQuery`1.GetEnumerator()
       at Microsoft.EnterpriseManagement.ServiceManager.Sdk.Connectors.OrchestratorRunbookConnector.GetRunbookFolders(OrchestratorContext scoContext, Folder parentFolder)
       at Microsoft.EnterpriseManagement.ServiceManager.UI.Administration.Connectors.Orchestrator.OrchestratorConnectorHelper.ValidateServerConnection(Boolean found)
    System.Data.Services.Client.DataServiceClientException: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
    <title>404 - File or directory not found.</title>
    <style type="text/css">
    <!--
    body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
    fieldset{padding:0 15px 10px 15px;}
    h1{font-size:2.4em;margin:0;color:#FFF;}
    h2{font-size:1.7em;margin:0;color:#CC0000;}
    h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
    #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
    background-color:#555555;}
    #content{margin:0 0 0 2%;;}
    .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;;}
    -->
    </style>
    </head>
    <body>
    <div id="header"><h1>Server Error</h1></div>
    <div id="content">
     <div class="content-container"><fieldset>
      <h2>404 - File or directory not found.</h2>
      <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
     </fieldset></div>
    </div>
    </body>
    </html>
       at System.Data.Services.Client.QueryResult.Execute()
       at System.Data.Services.Client.DataServiceRequest.Execute[TElement](DataServiceContext context, QueryComponents queryComponents)
    any ideas? Thank you very much!

    Hi,
    I am unable to connect to
    http://hostname:81/Orchestrator2012/Orchestrator.svc/ in IE and am getting the same error while creating the connector.
    I can connect to orchestrator via http://hostname:81/ but it still gives me the same error when I create the connector (Cannot connect Service Manager with Orchestrator Web Service).
    anyone seen it before?

  • Doc for 10g Web Services for EJBs

    I'm trying to determine if any documentation exists for 10gAS that discusses how to publish a statless session bean as a web service. The only thing I'm found so far is a tutorial called "Expose a Stateless Session EJB as a Web Service Endpoint through JAX-RPC interface", but I've found it lacking in detail and possibly incorrect. For example, it mentions a wsadmin tool that I don't see in the 10gAS release and it discusses how files like mapping.xml and webservices.xml can be created by JDeveloper. However, the 10g JDeveloper I downloaded doesn't see to support this.

    Unfortunately the doc is the how-tos right now. However, there are a couple of pointers - this article by Anirban Chatterjee - http://otn.oracle.com/tech/webservices/htdocs/j2ee14/jsr109.html - describes the configuration behind it.
    The JDeveloper interface is on the cusp of being released - it is just going through QA. I have written a tutorial on what it looks like here:
    http://otn.oracle.com/tech/webservices/htdocs/series/jaxrpc1/index.html
    But this tutorial is not linked publicly yet because it isn't released ... when the extension becomes available this link will be hooked up publicly. Please treat it as a preview right now.
    Could you describe the errors that you are encountering. There are a number of bugs that we have been collecting with the preview and we hope to do a refresh soon. It would be good to know if yours is a known one or not.
    Mike.

  • Please give me your opinion... about tools for develop web service

    If you would like to choose the tool for develop web service.
    what is the most important feature that you will consider,
    Please help me to order these topic from the most to the least
    a. creating web service
    b. creating web service client
    c. searching web service to UDDI registry
    d. publish web service to UDDI registry
    e. connecting to database management systems.
    f. license fee
    g.system requirements
    h. Installation procedures
    thank you very much for your opinion. I will keep your information for my research....
    :)

    Hi Fangnaka,
    You can use JWDSP2.0 + Tomcat 5.X +Jdk1.5 to develop and deploy webservice.
    Better IDEA are Intellij or Eclipse for webservice code development.
    Cheers
    Rajesh R

  • Best Practice for Securing Web Services in the BPEL Workflow

    What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
    They are all deployed on the same oracle application server.
    Defining agent for each?
    Gateway for all?
    BPEL security extension?
    The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
    Regards
    Farbod

    It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
    The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
    Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
    If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
    Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
    You can enforce rules at your network layer to allow access to the App server only from Gateway.
    When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
    The next BPEL developer in your project may not be aware of Security extensions
    Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
    Thanks
    Ram

  • What are the different messages that OCOD may return for a web service requ

    Hi,
    Please give me feedback on the questions below, concerning the limitations of web service, and messages which may return.
    1) What are the different messages that OCOD may return for a web service request? I need all the messages of all the scenarios which OCOD can meet, for example:
    - If the file is rejected (Error message)
    - If the file is accepted (to clarify that the records have been created)
    - if the application is unavailable (maintenance or web service is down)
    2) How many request can we send simultaneously, and how many records we can make per second?
    Best Regard,

    Have a look here Jquery slideshow tutorial for beginners | WEBTUTS

Maybe you are looking for

  • IPhone 3G S Nightmare

    Hi everone just wanted to let you know my expierence with ordering the 3GS. So like most of you I was excited to hear about the new iPhone and jumped at the opportunity to have one in my hands come 6/19. My husband and I were upgrading from the origi

  • How to get tabs in screen painter?

    Hi friends i am having 3 screens with numbers 100, 200, 300. I want to make this 3 screens into tabs like basicdata1, basicdata2 in mm02. Like when i click basicdata1 it has to open basicdata1 screen. Please can anyone share me the solution

  • After getting a new iPhone 4S, one of my apps won't work

    I have just had my iPhone 4S replaced by apple and have restored everything from my old phone. One of my apps now tries to load but then shuts. It still works on m iPad. Should I delete it on my mobile and reinstall?  I am worried I'll lose any progr

  • Mobile site creation help

    Hi     I have been developing components for normal websites using CQ. But now i want to create a mobile site . I checked the http://dev.day.com/docs/en/cq/current/developing/mobile.html for help. I was able to create a normal page . But it is not gi

  • Oracle 9i with SUN 2.9!!

    I am trying to install Oracle 9.0.1 on Solaris 9.0 I got following for the version compatiblity : OS Product Certified With Version Status Addtl. Info. Components Other Install Issue 2.6 9.0.1 N/A N/A Desupported Yes None N/A N/A 9 9.0.1 N/A N/A Desu