WS-SecureConversation provides a framework for supporting extended security sessions. The Rampart module includes support for WS-SecureConversation. See http://ws.apache.org/axis2/modules/rampart/1_0/security-module.html
Anne On 10/18/06, Gul Onural <[EMAIL PROTECTED]> wrote:
Hi, We have an existing product which we want to have a web services access to it. The existing product already has a web client and a plain java GUI client. The web services client will be a new one. The existing product has an extensive "resource based" access control policy already implemented. Every user has a user profile defining what resources the user can access and it also defines what actions the user can take on these resources, i.e. some users might browse the resource but may not modify the resource based on his access control policy defined in his user profile, while others may modify the resource. For the access control checks the session id of the user is used to link the client requests to the user profile. The session id is created when the user is logged in for the first time and Destroyed when the user is logged out. Now, we want to add a web service using the same backend access control functionality. Based on the documents I have read so far, the Axis2 doesn't really have the same concept of Session. My question is that how the access control can be done in Axis2 ? For example I could create a session id when the user first logged in and stick this session id into the SOAP message. Then operations Of the my web service would require this session id to be send for all the requests. In this case I would need to maintain the user sessions in my web service implementation. How do you guys do this type of access control enforcement in your web services ? Is there a recommend strategy or best practice type of experience ? Gul
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
