Results 1 to 2 of 2

Thread: Does WS-Security offer anything for user session tracking?

  1. Mar 29th, 2011, 10:10 AM #1
    JeffH
    JeffH is offline Member
    Join Date
    May 2010
    Posts
    41

    Question Does WS-Security offer anything for user session tracking?

    Complete WS and Spring newbie here (just completed core spring training).

    We have a need to track user session information between WS method invocations. We are considering a dedicated web service to be used internally by our other web services to track user session state using an authenticated token. The idea would be to cache user tokens that have a certain time to live, after which they expire, re-authenticatation is required. So this will involve creating a lookup cache for performance and also persisting the tokens to a database until they have expired.

    Is this re-inventing the wheel in any way? I didn't know if Spring security or some other spring module (or another open source project) offers this sort of out of the box functionality?

    We want to do things the right way, but I'm having trouble finding any consensus on how to do this in the blogosphere. I understand web services want to be stateless, but in our case, we need to track a user's session state.

    Thanks for any tips and helpful links!

    -Jeff
    Reply With Quote Reply With Quote
  2. Mar 29th, 2011, 04:15 PM #2
    mada
    mada is offline Member
    Join Date
    Feb 2010
    Posts
    73

    Default

    first i think you should considere the drawbacks of a stateful webservices.
    I'm 99% sure that there is not such thing in spring ws already ready to use.

    I will not recommand to store them on database unless you may need some statistics on that.

    Spring ws follows WS best pratices like contract first and stateless ws are not the case .

    If you are interesting in caching stuff in session u should consider the scope of the bean (default is singleton) and maybe the ThreadLocal class already used by default for the authentification mecanism on spring security.

    and maybe unless you want to reinvent the whell caching mecanism, use EhCache or else.

    Spring have like always some cool glue stuff to simplify the Ehcache configuration . I have used it to cache authentification soap headers in order to not ask everytime the ldap.

    Ehcache enable to maintain cache in network but need more configuration for that.

    Last but not least you will need maybe a custom spring ws preprocessor because it is transversal and should not impact endPoint.
    Need help on Spring WS ? Do you want to shift gears and build the architecture of your spring ws with half of the price that will be for your company ? I have worked on Spring Ws 1,5 year at full time and build around80 WS with full dao testing and integration tests with Soapui with Maven 2 on hudson
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules