In the project we did awhile back we were passing a computed token (representing a successfully authenticated principal) back to a
client as a (custom, non-cookie) response header. This token, when it was coming back, was used to retrieve a previously
authenticated Principal (from db) and used for the subsequent authorization decisions...
cheers, Sergey
----- Original Message -----
From: "Cole Ferrier" <[email protected]>
To: <[email protected]>
Sent: Monday, January 25, 2010 4:28 PM
Subject: Re: How to? Authenticate once then pass a token?
Actually i did:
http://cxf.apache.org/docs/ws-security.html
"Username Token Authentication"
On Mon, Jan 25, 2010 at 8:19 AM, KARR, DAVID (ATTCINW) <[email protected]> wrote:
-----Original Message-----
From: Cole Ferrier [mailto:[email protected]]
Sent: Monday, January 25, 2010 7:59 AM
To: [email protected]
Subject: How to? Authenticate once then pass a token?
Currently I've managed to add basic username/password security to my
web services.
How do i now change that so that i can authenticate on the first call
and create a session and then just use a token after that.
I'm doing a rather heavy weight operation to validate the username and
password, so I don't want to do it on every call.
Are there any examples of doing this?
If you're really using "basic auth", this is actually pretty easy. I
did this very recently. You first set up your web.xml with webapp
security using BASIC auth. If you examine your HTTP headers in the
response from the authenticated service, you should see a "JSESSIONID"
cookie coming back. If you store that hash value in the client and then
append ";jsessionid=<hash>" to subsequent URLs (until the session
expires), it should work. If you're making this call from JSP with
reasonable tag libraries, these mechanisms may even happen without your
intervention.
