Hi,
We have an existing product which we want to have a web services access to it.
The existing product already has a web client and a plain java GUI client. The web
services client will be a new one.
The existing product has an extensive "resource based" access control policy already implemented.
Every user has a user profile defining what resources the user can access and it also
defines what actions the user can take on these resources, i.e. some users
might browse the resource but may not modify the resource based on his access control
policy defined in his user profile, while others may modify the resource.
For the access control checks the session id of the user is used to link the client requests to the
user profile. The session id is created when the user is logged in for the first time and
Destroyed when the user is logged out.
Now, we want to add a web service using the same backend access control functionality.
Based on the documents I have read so far, the Axis2 doesn't really have the same
concept of Session.
My question is that how the access control can be done in Axis2 ? For example I could create a session id
when the user first logged in and stick this session id into the SOAP message. Then operations
Of the my web service would require this session id to be send for all the requests. In this case
I would need to maintain the user sessions in my web service implementation.
How do you guys do this type of access control enforcement in your web services ?
Is there a recommend strategy or best practice type of experience ?
Gul
