How to secure Java web services with login and session

Question

How to secure Java web services with login and session

I want my (Java metro) web service with login.

Here's how I plan to do this:

The steps required when calling the webservice method:

call login (user, pwd), get session token 1.1 remember token
servicemethod call (token, arg1, arg2 ...)
webservice checks if a token is known if no exception is thrown, otherwise continue
logout or timeout after x periods of inactivity

my questions are: 1. What is your opinion on this approach? does that make sense? 2. Are there libraries that take responsibility for processing the session (possibly with saving the database in order to survive application reloading).

(the solution should be simple and convenient for use with Java and .NET clients)

thank!

+3

java web-services session java-metro-framework java-ws

hugri Mar 31 '10 at 7:38

source share

3 answers

. J2EE/ Java /. , .

- -; Apache HTTPD, Tomcat.

+1

Stephen C 31 . '10 7:58

I thought about trying out Apache Shiro , I can’t say how good it is. Looks good.

0

msung Apr 11 '10 at 21:11

source share

Pascal Thivent · Accepted Answer · 2010-03-31T08:16:42+0000

This is possible, and I have seen web services using a similar approach. But I would not implement my own solution. Instead, I would use the security token from the WS-Security specification and, more precisely, the user token (you get this from the WSIT , which is part of Metro and thus interacts with .NET clients). See this article for an introduction.

Update: Other pointers:

, WS-Security , , , , WS-Security , , ( ).

Edit:

, . , , .

How to secure Java web services with login and session

More articles: