Our clients are using MS XML but not SOAP, and can't use cookies.
We set cookies on the server (set them in the header) but get our MS
clients to rewrite those cookies into the URL for their next request, as
they can read the headers and write to URLs but not set cookies.
Is MS SOAP the same?
Dennis Sosnoski
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
> cc:
Subject: Re: HTTP redirects and SOAP
04/04/2002 06:30
Please respond to
soap-user
The only way I know of to provide session support that works across all
platforms is to basically implement it yourself. Build a wrapper for
your statefull session EJB (or whatever other session-based class you
want to use), adding a call to the wrapper that gets a session
identifier like: "String getSession(String user, String password)" (user
and password are optional, depending on your application). The wrapper
needs to get an instance of the session-based class when this call is
executed, and return a unique identifier mapped to that instance in a
HashMap or equivalent.
For each method you want to make available in the session-based class,
add a new parameter "String id" to the corresponding method in the
wrapper. The wrapper can use this to look up the instance of the
session-based class associated with that identifier, then call the
wrapped method on that instance.
Depending on your requirements you may also want to add a call
"endSession(String id)", and may also want to use timeouts for the
session-based class instance (so that if the session is not used for
some period of time it gets dropped).
Kind of ugly and tedious, but it's the only sure way of doing sessions
that I know of. Anybody have a better approach?
- Dennis
Dennis M. Sosnoski
Sosnoski Software Solutions, Inc.
http://www.sosnoski.com
Will Spies/Towers Perrin wrote:
>
>Simple. You can't. Not in the MS SOAP Toolkit 2.0SP2 anyway. I even got it
>in writing. The following is a response from Microsoft from my question
>about why the don't support cookies and redirects.
>
>>>This is so because it is the first version of the product mainly. We
>>>saw redirects as a major security risk and cookie as something most Soap
>>>applications wouldn't use because we specifically didn't want to support
>>>sessions. As I said before, the Wininet connector doesn't have these
>>>limitations because it uses the IE http stack instead of HTTPLIB.
>>>
>
>>>Soap uses some of the http infrastructure but it isn't a normal http
>>>application.
>>>
>
>
>
>
>
>
> To:
<[EMAIL PROTECTED]>
> "Hozefa Botee" cc: (bcc: Will
Spies/Towers Perrin)
> <hoze@interlacesy Subject: RE: HTTP
redirects and SOAP
> stems.com>
>
> 04/03/02 03:02 PM
> Please respond to
> soap-user
>
>
>
>
>
>
>How does one implement session behavior with MS
>SOAP toolkit without cookies? esp. when talking
>to an AXIS server?
>
>H
>
>>-----Original Message-----
>>From: Will Spies/Towers Perrin [mailto:[EMAIL PROTECTED]]
>>Sent: Wednesday, April 03, 2002 3:57 AM
>>To: [EMAIL PROTECTED]
>>Subject: Re: HTTP redirects and SOAP
>>
>>
>>
>>
>>I've had this same nightmare. Here is what I've learned:
>>
>>MS SOAP Toolkit does not support cookies or redirects ( they
>>view the former as unnecessary and the latter as a security
>>issue ) Apache SOAP Toolkit supports cookies but does not
>>support redirects Systinet SOAP Toolkit supports redirects
>>but not cookies.
>>
>>I don't get it. They should all support cookies and redirects
>>if you ask me. This is the basis for any SSO product and some
>>proxy servers.
>>
>>_______________________
>>Will Spies
>>Towers Perrin
>>Phone: (215)246-7145
>>e-mail: [EMAIL PROTECTED]
>>
>>
>>
>>
>>
>>
>>
>>
>> To:
>>[EMAIL PROTECTED]
>>
>> "Brian BBA41 cc:
>>(bcc: Will Spies/Towers Perrin)
>>
>> Bannister" Subject: Re:
>>HTTP redirects and SOAP
>>
>> <bbannister@qanta
>>
>>
>> s.com.au>
>>
>>
>>
>>
>>
>> 04/02/02 07:35 PM
>>
>>
>> Please respond to
>>
>>
>> soap-user
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>Why don't you set up the servlet to be container protected
>>and allow the container to do the basic authentication? We do
>>this with weblogic and apache SOAP and it works well. An
>>unauthenticated user gets a 401 unauthorized and can reply
>>with the basic authentication header. An unauthenticated user
>>that sends the basic authentication header on first request
>>gets straight through.
>>
>>
>>
>>
>> Martin Hubley
>>
>> <[EMAIL PROTECTED] To:
>>"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>>
>> om> cc:
>>
>> Subject: HTTP
>>redirects and SOAP
>> 03/04/2002 06:43
>>
>> Please respond to
>>
>> soap-user
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>Hi,
>>
>>My basic question is does Apache SOAP (or any other SOAP
>>implementation) support http redirect headers in a response
>>for a client?? The gory details follow...
>>
>>We have a setup where I am using the GLUE SOAP servlet as
>>part of a J2EE ear running in JBoss 2.4.4 (with Tomcat
>>4.0.1), where the servlet (and our other servlets) is
>>protected by a custom filter implemented for single-sign-on
>>purposes. This filter redirects all requests without our auth
>>cookie to an auth servlet, which requests basic auth from the
>>client, and which when successful sets a cookie and redirects
>>back to the original url. When in an Apache SOAP test client
>>and I make a call to the original URL, i.e.
>>http://localhost:8000/soap/urn:service.wsdl, I > get a SOAP
>>fault back containing the HTTP 302 response from the server
>>(as well as a SOAPException with an unsupported content type
>>as the HTTP 302 response is text/html). (This call works fine
>>in the test client if I deploy the servlet and SOAP
>>implementation without our filters that do the authentication
>>redirects)
>>
>>The actual response coming back from our SingleSignOnFilter
>>is a standard redirect with the URL we want to redirect to
>>for authentication:
>>
>>HTTP/1.1 302 Moved Temporarily
>>Content-Type: text/html
>>Date: Tue, 02 Apr 2002 19:14:33 GMT
>>Location:
>>http://localhost:8080/auth/AuthServlet?ds.sso.return-url=http%
>>
>3A%2F%2Flocalhost%3A8080%2Fsoap%2Furn%3Aservice
>
>
>Server: Apache Tomcat/4.0.1 (HTTP/1.1 Connector)
>Connection: close
>
>followed by a standard Apache error page containing the 302 info.
>
>Are there any easy ways to do such redirects using Apache SOAP or any
>other SOAP implementation? Am I missing something obvious here, i.e.
>perhaps there is a way to do redirects in a SOAP message instead of with
>HTTP headers? Any help appreciated,
>
>Thanks,
>
>Martin
>
>
>
>
>
>
>Qantas
>
>
>
>
>
>
>
>
>
