We want to implement a simple userId password based authentication mechanism for our web services that are exposed to other web applications inside internal network. Right now I am not worried about SSL encryption etc.
We want the "authenticated" client state to be persisted (Client Web application should persist state in HTTP session) so that every time we make service calls, userid password is not passed as HTTPheader or SOAP header.
Caller User identity should be available at server side for permissions checks in simplest possible ways.
Using standard techniques, which works in a clustered server and clustered client environment.
Development Team is new to Web Services especially Axis2, so we do not want to introduce complex technologies at this stage (WSSecurity we find, is not so simple to understand and use please correct me if I am wrong).
I implemented a POC using Stateful Axis2 Web Services and a standalone client program based on a Previous Post
Here is how the POC for Authentication looks like :
There are 2 services which are added to a one group -
Hello World Web Service has 2 operations authenticate and hello :
Second Service which has one operation :
sevice.xml looks like this :
After Generating Stubs for both the services using Eclipse WTP - The Client Program looks like this :
This example works fine. Please comment on following Queries :
I would like to have further suggestions on how to improve this code or my overall approach.
Apache Axis2 Article Clustering for Stateful Web Services says: "You may safely use services in "soapsession" scope provided you don't modify (or modify at all) state in ServiceGroupContext frequently." - Please let me know if there are some risks in using this approach in clustered environment where web services are hosted on a cluster (Jboss in this case).
As it can be seen from TestWSClient I am planning to store the client state by storing "ServiceClient sc" object in web application's HTTP session. This object is obtained from authentication service and then same is reused to call other services. As per my initial test this approach works fine but since this object is not Serializable I dont think I will be able to use it when the Web application runs on clustered environment. Please provide any suggestions regarding this.
Please highlight any other drawback of this approach.
Thanks for having patience in reading this long post.