ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sofiane Cherchalli <>
Subject Web Service Security Design question?
Date Wed, 23 Apr 2003 15:55:57 GMT
Hi there

I'm designing a Axis Web Service that would run under tomcat. The Web
Service client is a standalone Java/Swing WebStart enabled program.

Basically, the Web Service exposes 3 methods that could be called only by
authentified users (Defined in a database table). When client program starts
it display a dialog box with login and password to allow the user to
identify himself. I need to implement the following features:

- User sessions : Once a user is connected, a session is created. Session is
destroyed if user disconnects or timeouts ( stays idle for a certain time ).
When session expires, a subsequent call to web service method has to inform
client application that session expired, and though display again the login
dialog box.

- When web service is called from a client browser, users session is
automatic since tomcat either sends a cookie or uses url rewriting ( If
cookies not enabled ). In my case, it's a webstart enabled application, and
I think there a Cookie management service in webstart api, but the remaining
question is: How to read the cookie sent by the server ?

- Using java:RPC method call doesn't allow to access to SOAP message, right?
So I was thinking to use message calls, and write in SOAP response header
the session id to allow the client to store it for future calls!

- Another feature I want to add is, encrypting messages exchanges using

Well, i would greatly appreciate any design ideas, and would like to know if
what I'm trying to do is feasable ?

Thanks in advance

View raw message