使用Web服务时如何管理用户的会话?
[英]How can I manage users' sessions when I use web services?
问题描述
In case if user works with web application via web browser, the user's session is managed by application server. 
如果用户通过Web浏览器使用Web应用程序,则用户的会话由应用程序服务器管理。 It takes care of sessions creation, validation, timeouts, disposings, etc. 它负责会话创建,验证,超时,处理等。
And as far as I know there is no such mechanisms in the other case, if user works with app via remote client and uses SOAP web services. 据我所知,在其他情况下没有这样的机制,如果用户通过远程客户端使用app并使用SOAP Web服务。
So the question is, how can we manage users' sessions in case of web services and implement the same mechanisms of session management such as invalidation, prolongation, disposing? 所以问题是,我们如何在Web服务的情况下管理用户的会话,并实现相同的会话管理机制,如失效,延长,处置?
3 个解决方案
解决方案1
10 已采纳 2011-11-07 13:21:21
Assuming you use JAX-WS and SOAP/HTTP it is possible to work with container managed security (and eg session cookies) as well. 假设您使用JAX-WS和SOAP / HTTP,则可以使用容器管理的安全性(例如会话cookie)。 You just have to inject WebServiceContext in your service. 您只需要在服务中注入WebServiceContext 。 It allows access to all HTTP environment variables: 它允许访问所有HTTP环境变量:
@Resource
WebServiceContext wsContext;
A detailed example is available here . 这里有一个详细的例子。 Of course, your clients must support this as well (if they are JAX-WS based it works). 当然,您的客户也必须支持这一点(如果它们是基于JAX-WS的,它可以工作)。 Nevertheless, a rule of thumb is that web services should not maintain any state at all, they should behave stateless. 然而,经验法则是Web服务根本不应该保持任何状态,它们应该表现为无状态。 See this on SO . 在SO上看到这个 。
Edit: You can access the ServletRequest by: 编辑:您可以通过以下方式访问ServletRequest:
@WebMethod
public void foo() {
final MessageContext mc = this.wsContext.getMessageContext();
final ServletRequest sr = mc.get(MessageContext.SERVLET_REQUEST);
/* works if this is a HTTP(s) request */
if (sr != null && sr instanceof HttpServletRequest) {
final HttpServletRequest hsr = (HttpServletRequest) sr;
hsr.getSession(true);
/* ... */
} else {
/* do some exceptional stuff */
}
}
The session created above should behave in exactly the same way as a 'standard' web session. 上面创建的会话应该与“标准”Web会话完全相同。 You must make sure that your clients understand that as well. 您必须确保您的客户也理解这一点。 They have to submit the session identifier (cookie) on each subsequent call. 他们必须在每次后续调用时提交会话标识符(cookie)。
解决方案2
2 2018-05-26 11:21:08
- Web Service does not support session state for achieving high scalability , web service is designed stateless . Web Service不支持会话状态以实现高可伸缩性 ,Web服务设计为无状态 。
- Session state handling is not a part of SOAP specification. 会话状态处理不是SOAP规范的一部分。 The cookie stores a token which acts as session identifier. cookie存储用作会话标识符的令牌。 There are a number of ways to pass the session identifier: as an HTTP cookie, as a SOAP header, or as an element in the SOAP message body. 有许多方法可以传递会话标识符:作为HTTP cookie,作为SOAP标头,或作为SOAP消息体中的元素。
- A SOAP header is transport independent, but it requires the SOAP client and service to agree on the format of the SOAP header, and it required that both the SOAP client and SOAP server implementations support SOAP headers. SOAP标头与传输无关,但它要求SOAP客户端和服务同意SOAP标头的格式,并且它要求SOAP客户端和SOAP服务器实现都支持SOAP标头。 If you use the SOAP body to pass the session id, then it's up to the service (ie, your application code) to re-establish the state on each call. 如果您使用SOAP主体传递会话ID,则由服务(即您的应用程序代码)决定是否在每次调用时重新建立状态。 Stateful processing can make cross-SOAP interoperability a bit more challenging, but it does work. 有状态处理可以使跨SOAP互操作性更具挑战性,但它确实有效。 Check into the capabilities of your SOAP implementation. 检查SOAP实现的功能。 source 资源
解决方案3
2 2011-11-07 13:25:54
I think you are talking about how to maintain web-services session(state-full web-services). 我想你正在讨论如何维护网络服务会话(状态完整的网络服务)。
In this case following link can help you: 在这种情况下,以下链接可以帮助您:
https://blogs.oracle.com/sujit/entry/ws_addressing_and_stateful_webservice https://blogs.oracle.com/sujit/entry/ws_addressing_and_stateful_webservice
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.