I am currently working on a Java desktop client to interact with a .Net web-service. The web-service is exposing some functions that already exist in the company's web application. The company would like to use the desktop client to replace some of the functions in the web due to some business requirement.
The web page requires username / password login and uses http session and cookie to store user related information. The username and password are stored within database.
The desktop client also requires username / password login.
My question is how should I implement the web-service security mechanism in this case, since all communication are open text if use pure http.
Some options I have in my mind
(1) use web-service over https to encrypt all messages
(2) use the login method to get a server side session id and every time making the call use the same session id. the server side will need to persist it and check it everytime the client calls
or just directly use the http session id
Have you had a look at Spring Security?
Among the features are:
- It integrates with existing database.
- Provides integration with WS-Security.
- Your application code does not have to contain any security-related code, it is isolated.
For more, see: http://static.springsource.org/spring-security/site/features.html Best wishes!
subject: Question about designing a web-service security mechanism used with desktop client