Hi axis users, I am a beginner to axis2 and working on an application that requires user authentication: My case study is a bit different than examples that come with Rampart module, and would probably need to combine many things. Your help and comments are greatly appreciated especially in pointing out how to avoid security holes.
The scenario is the following: 1) A user through a client application will enter his/her username/password 2) The service will check those credentials based on a ''custom database'' set at the service side and not on a hard coded password. 3) If the authentication is successful, the service then creates a session with a timeout that will allow the user to continue calling other webservice's methods without sending the username/password again and for the session lifetime. I checked session management in axis2, usernameToken sample that comes with the Rampart module and can use those two to build the application. Also, the application will definitely create tokens for clients to authenticate within the session with no need to enter the username/password again. 1) do you know of any standard way to create session tokens in axis2 or should it be custom coding. 2) if a usernameToken with a digest password is used, is the communication between the service and the client secure enough? 3) do you know of any similar application code that can be used as a starting point? Thank you for your help!
