cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anoop Prasad <>
Subject RE: Application Layer Session Management for WS
Date Wed, 11 Feb 2009 11:52:21 GMT
Dear Dan,

Thank you for your Inputs.

My focus is to build a secure Session handling mechanish independent of
Transport or any low level details.
" Encrypted XML Document containing Session Tokens; and an aggrement between
two Web services about the way they will use and Update the token" should do
the trick. And as you suggested we can use the Interceptors to realize this.

Im reading about the standards, and It looks like WS-Context is the right
way to proceed.

WS Addressing is not advocated; also the Working Group is now closed

CXF Page here( ) shows
"WS-Context & Session support" as an Idea.
But the page was last updated on Sep 19, 2007 as you can see.
Can you please confirm whether its been taken to the next level, or is still
open for exploration?

I would really appreacte it if you would correct me if any of these
understandings is wrong;

Thanks a lot.

PS : Im also planning to add WS-Security to the system; for that I probably
might use the WSS4J Interceptor solution.


Two roads diverged in a wood, and I -- I took the one less traveled by, and
that has made all the difference!


Address: Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R.China
This e-mail and its attachments contain confidential information from
HUAWEI, which 
is intended only for the person or entity whose address is listed above. Any
use of the 
information contained herein in any way (including, but not limited to,
total or partial 
disclosure, reproduction, or dissemination) by persons other than the
recipient(s) is prohibited. If you receive this e-mail in error, please
notify the sender by 
phone or email immediately and delete it!

-----Original Message-----
From: Daniel Kulp [] 
Sent: Tuesday, February 10, 2009 10:34 PM
Cc: anoopPrasad
Subject: Re: Application Layer Session Management for WS

I'm really not aware of any non-http level session stuff going on right now.

It wouldn't be hard to write a set of interceptors that would do this for
The server "in" interceptor would just pull a session ID from someplace
(soap header or JMS header or similar) and validate it and store it on the 
exchange/message to be used later in the implementation or similar.   An
interceptor would add it to the response.  Client side would be similar.


On Fri February 6 2009 3:53:49 am anoopPrasad wrote:
> Dear All,
> I have Integrated the latest CXF 2.1.3 with my system and it started 
> working without making much noise (Some noise near the JMS area ;-) 
> ;change in the way we were configuring it)
> We do have a need to maintain session for certain Web Services for 
> licensing the same for certain Service consumers.I started exploring 
> options within CXF and found an interesting discussion here 
> But that discussion focused on HTTP/jetty based session handling.
> Do we have a mechanism to handle the Sessions at the application layer 
> level itself; something like what they have in Axis2. If yes kindly 
> point me in the right direction.
> If not please let me know if we have any work in progress in this 
> direction.
> Thanks in advance.
> regards
> anoopPrasad

Daniel Kulp

View raw message