Dear Dan, Thank you for your Inputs.
My focus is to build a secure Session handling mechanish independent of Transport or any low level details. " Encrypted XML Document containing Session Tokens; and an aggrement between two Web services about the way they will use and Update the token" should do the trick. And as you suggested we can use the Interceptors to realize this. Im reading about the standards, and It looks like WS-Context is the right way to proceed. Ref: http://www.idealliance.org/proceedings/xml05/ship/54/xml2005-wssessions.HTML #d0e217 http://www.w3.org/2001/03/WSWS-popa/paper29 WS Addressing is not advocated; also the Working Group is now closed Ref: http://www.infoq.com/news/2007/09/wsacloses CXF Page here( http://cxf.apache.org/getting-involved.html ) shows "WS-Context & Session support" as an Idea. But the page was last updated on Sep 19, 2007 as you can see. Can you please confirm whether its been taken to the next level, or is still open for exploration? I would really appreacte it if you would correct me if any of these understandings is wrong; Thanks a lot. PS : Im also planning to add WS-Security to the system; for that I probably might use the WSS4J Interceptor solution. regards anoopPrasad Two roads diverged in a wood, and I -- I took the one less traveled by, and that has made all the difference! HUAWEI TECHNOLOGIES CO.,LTD Address: Huawei Industrial Base Bantian Longgang Shenzhen 518129, P.R.China www.huawei.com ---------------------------------------------------------------------------- --------------------------------------------------------- This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -----Original Message----- From: Daniel Kulp [mailto:dk...@apache.org] Sent: Tuesday, February 10, 2009 10:34 PM To: dev@cxf.apache.org Cc: anoopPrasad Subject: Re: Application Layer Session Management for WS I'm really not aware of any non-http level session stuff going on right now. It wouldn't be hard to write a set of interceptors that would do this for JMS. The server "in" interceptor would just pull a session ID from someplace (soap header or JMS header or similar) and validate it and store it on the exchange/message to be used later in the implementation or similar. An "out" interceptor would add it to the response. Client side would be similar. Dan On Fri February 6 2009 3:53:49 am anoopPrasad wrote: > Dear All, > > I have Integrated the latest CXF 2.1.3 with my system and it started > working without making much noise (Some noise near the JMS area ;-) > ;change in the way we were configuring it) > > We do have a need to maintain session for certain Web Services for > licensing the same for certain Service consumers.I started exploring > options within CXF and found an interesting discussion here > http://www.nabble.com/session-management-td11326045.html > But that discussion focused on HTTP/jetty based session handling. > > Do we have a mechanism to handle the Sessions at the application layer > level itself; something like what they have in Axis2. If yes kindly > point me in the right direction. > If not please let me know if we have any work in progress in this > direction. > > Thanks in advance. > > regards > anoopPrasad -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog
