Well, couple of thoughts: 1) You can just use an HTTP session on the server side to record anything you want there. Obviously just works for HTTP. However, by default, most soap clients don't maintain a session. For JAXWS you have to explicitly set a request property to tell it to maintain the session cookie.
2) WS-SecureConversation COULD be used for this if you are really just talking to a single service. Before the first request to the service, the client would contact the service and negotiate the security requirements (in your case, UsernameToken type stuff) and get a conversation token back that is sent with each request later on. You may need to write some interceptors to map the conversation token id to a Principal though. I don't think we do that automatically. (might be an good addition though) 3) WS-Trust is similar to WS-SecConv, but the token is obtained from a separate trust server, not the service itself. Dan On Tue January 26 2010 3:00:57 pm Cole Ferrier wrote: > So I think i need to clarify my question. > > Currently, i have basic WS-Security setup to authenticate a username > and password using a callback class. This is working. > > However, the steps that are required to do that are very very expensive. > > So i would like to build some sort of session. Basically authenticate > once, then rely on the fact they are already authenticated. > > I understand WS-Trust could potentially accomplish this? Any > information would be helpful, on how to get started. > > Basically the problem i have is validating username/password is way to > expensive to do on every call, so how can i work around that? > > Cole > > On Mon, Jan 25, 2010 at 8:28 AM, Cole Ferrier <[email protected]> wrote: > > Actually i did: > > > > http://cxf.apache.org/docs/ws-security.html > > > > "Username Token Authentication" > > > > On Mon, Jan 25, 2010 at 8:19 AM, KARR, DAVID (ATTCINW) <[email protected]> wrote: > >>> -----Original Message----- > >>> From: Cole Ferrier [mailto:[email protected]] > >>> Sent: Monday, January 25, 2010 7:59 AM > >>> To: [email protected] > >>> Subject: How to? Authenticate once then pass a token? > >>> > >>> Currently I've managed to add basic username/password security to my > >>> web services. > >>> > >>> How do i now change that so that i can authenticate on the first call > >>> and create a session and then just use a token after that. > >>> > >>> I'm doing a rather heavy weight operation to validate the username and > >>> password, so I don't want to do it on every call. > >>> > >>> Are there any examples of doing this? > >> > >> If you're really using "basic auth", this is actually pretty easy. I > >> did this very recently. You first set up your web.xml with webapp > >> security using BASIC auth. If you examine your HTTP headers in the > >> response from the authenticated service, you should see a "JSESSIONID" > >> cookie coming back. If you store that hash value in the client and then > >> append ";jsessionid=<hash>" to subsequent URLs (until the session > >> expires), it should work. If you're making this call from JSP with > >> reasonable tag libraries, these mechanisms may even happen without your > >> intervention. > -- Daniel Kulp [email protected] http://www.dankulp.com/blog
