Reputation: 2454
session management with spring ws backed webapplication
I am trying to create a webapplication, which will use a js front end and invoke Spring WS in the backend. Let's say this is a shopping site kind of website. So, I could have services like OrderService InventoryService ShippingService and so on. The only thing that needs session is the shopping cart of the user. Now, just for this shopping cart, does it make sense to use a servlet container for session management? Or, should I have CartService that persists session information to the database?
What is the best practice when it comes to session management with WebServices? I guess, the best practice really is to keep the service stateless, but how can I authorize users if I have stateless webservices?
Is it a good practice at all to use a servlet container just to do session management and then have different controllers acting as proxies to the webservices?
I am attaching a picture to make you understand the context better.
Upvotes: 6
Views: 1162
Answers (3)
Reputation: 950
How can I authorize users if I have stateless webservices?
If you app uses external ws, then rather common approach is described here.
If all the ws are part of your delivery, you can surely use spring-security.
A very common approach is also to have an (apache) http server as a proxy with something like ldap for both, authentication and authorization.
Is it a good practice at all to use a servlet container just to do session management and then have different controllers acting as proxies to the webservices?
I would think it is not. As also discussed here you can only benefit from keeping your Web Services stateless and if you need to maintain state between requests, use cookies.
If the state (cart) should survive the logout, something like CartService sounds like a good idea to me.
Upvotes: 5
Reputation: 950
If webservice is stateless, how do I know that an ajax request is authorized? How do I know that ajax request is coming from user1 of webapp1, who is authorized? and not from user2 of webapp2, who is not authorized to access the service?
Good question. Quick answer would be :
For Basic Authentication : username:password is base64 encoded and stored in the Authorization http header for each request that the client sends. See this wiki entry. The header looks like this:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==With spring security, configuration can be like this:
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern='/**' access="hasRole('REMOTE')" />
<http-basic />
</http>
For form based authentication of WS, take a look on this article.
First you sent a post request to /j_spring_security_check. This request will return the Cookie which will then be used by any subsequent request against the Web Service. Here they store it in a text file:
curl -i -X POST -d j_username=user -d j_password=userPass -c /tmp/cookies.txt http://localhost:8080/app/j_spring_security_checkThen you can use the cookie from the file to do further authenticated requests:
curl -i --header "Accept:application/json" -X GET -b /tmp/cookies.txt http://localhost:8080/app/api/foos
The xml spring security configuration can look like this:
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern='/**' access="hasRole('REMOTE')" />
<form-login />
</http>
Upvotes: 2
Reputation: 4864
You could refer to the Spring-WS security
Check here, for a sample that uses WS-Security in a Spring Boot app. Specifically, see WebServiceServerConfig.
Upvotes: 2
Related Questions
- User Session Management with Spring (Business and Transaction Management)
- Session Management on Websphere
- Session handling with Spring REST application
- Spring 4 - Session Management
- Spring REST webservice and session persistence
- Spring WS Maintaining Sessions
- Session functionality in application layer?
- Spring Security and Sessions over Web Services
- Hibernate session handling in spring web services
- How to manage user authentication/sessions?