Topic: 各位WEB SERVICE的高人,WEB SERVICE有没有类似SERVLET中的SESSION的东西?WEB SERVICE本身是STATELESS的吗? @拉斯维加斯华人论坛:拉斯维加斯枫下论坛 The Rolia Forum of Las Vegas

工作学习 / IT技术讨论 / 各位WEB SERVICE的高人,WEB SERVICE有没有类似SERVLET中的SESSION的东西?WEB SERVICE本身是STATELESS的吗? -std(std); 2002-5-27 (#543191@0)

当然有Session了....MS 和 Sun 在Stateful/Stateless上有争议,分别有各自的理由... .NET让使用Session更有效了.... -lazycod(Elite Warrior); 2002-5-27 (#543204@0)

没有成为标准有些麻烦.没有STATE如何进行AUTHENTICATION/AUTHERIZATION? -std(std); 2002-5-27 (#543218@0)

方法太多了, 最早的Cookie就可以干这个用, 还有Querystring上加参数等...现在.NET让使用Session很方便了,可以放心使用就是了. 即使SERVLET中的SESSION的东西使用的也是相同的机制.... -lazycod(Elite Warrior); 2002-5-27 (#543223@0)

我说的是WEB-SERVICE-RPC.不是URLCONNECTION连SERVLET. -std(std); 2002-5-27 (#543227@0)

底层机制是一样的....要不然为什么叫Web Service. -lazycod(Elite Warrior); 2002-5-27 (#543231@0)

是的,但是RPC是定义ENDPOINT INTERFACE没有看到提供GET/SET HTTP HEADER的地方. -std(std); 2002-5-27 (#543238@0)

使用Session不就可以了吗? 不需要编程往HEADER里加信息.... -lazycod(Elite Warrior); 2002-5-27 (#543245@0)

internet 连接本身都是Stateless, 必须借助其它手段来维护State -lazycod(Elite Warrior); 2002-5-27 (#543235@0)

不对. -std(std); 2002-5-27 (#543240@0)

ok let's discuss it. go ahead... give me your opinion please -lazycod(Elite Warrior); 2002-5-27 (#543248@0)
he is right. internet is stateless. just request / response. -mimi888(老猫钓鱼); 2002-5-27 (#543334@0)

"internet is stateless" is not proper,As I know,We can only say HTTP is a stateless protocol -sunnyhoo(sunny); 2002-5-27 {1041} (#543724@0)

Thank you for your answer. Can you tell me how i can set /get auth_token within implementation class of end point infterface? That is, how to implement session track in JAVA-XML base RPC?Thanks again! -std(std); 2002-5-27 (#543730@0)
握手，希望多多交流。虽然可以在soap header里加auth_token,但很少有这种server支持。你用的是soap2.2还是axis?我听说有一个产品叫SOAP Router, 可以加入auth_token,和传输解析这种XML.
Soap虽然支持SSL,但我没用过,不知道好用吗？ -uid(㊣Miracle); 2002-5-27 {111} (#543967@0)

觉得web services RPC router基本上都是STATELESS的，每一次invoke 都是separate call。尤其你从client stub的invoke. 不过你可以建立web services的gateway,在那里写自己的handler可以自己建立session机制 -uid(㊣Miracle); 2002-5-27 (#543925@0)
我想你问的是.net的web services吧，它应该和楼上那位说的不是一码事，。web services底层都是用SOAP协议的，它可以被封装到.war file里边接受http请求，但实际上是SOAP协议 -uid(㊣Miracle); 2002-5-27 (#543936@0)

SOAP over HTTP -std(std); 2002-5-27 (#543942@0)

是的SOAP是借助http,和smtp传输的，但实际上是XM。你如果只想做authen / author 你可以把WSDL的implementation class做成session bean, 利用EJB bean container 的安全机制来实现 -uid(㊣Miracle); 2002-5-27 (#543982@0)

A. Web service can support 1. http get/post 2. soap. B. For .net session you can use 1. session with targeting server 2. session storing in database both of these can solve the problem of server farm. -chinatiger(能曾金刚的生神); 2002-5-27 (#543963@0)

对于.net 来说，web service可以接受get/post的条件是限于有限的几个数据类型且必须的by-value parameters. 因为微软.net可以在server端动态创建对象，来call web services. 对一般商用soap 来说，对.net 来说，web service可以接受get/post但只有有限的数据类型且必须的by-value parameters. 因为微软.net可以在server端动态创建对象，来call web services.

对一般商用soap 来说，支持的数据类型多多，都是client stub调用，每次调用都是一次soap invoke, 怎么定义 http session? -uid(㊣Miracle); 2002-5-27 {270} (#544044@0)

The base class of WebService has 2 collections for holding the state 1.Application 2. Session I think it is pretty same as the ASP.net state management. -chinatiger(能曾金刚的生神); 2002-5-28 (#544396@0)

Web Service要Session干什么？那是给愚笨的浏览器用的，你自己写程序..... -miketany(MIKE老狼); 2002-5-27 (#543969@0)

Basically,there are several ways to trace identification1.session
2.cookie
3.URLRewriting
4.hidden form

Could you tell how to write your own code if you don't use one of them? -sunnyhoo(sunny); 2002-5-28 {126} (#545121@0)

你能确定我们两人讨论的是同一个问题吗？你在自己应用程序里调用远程Web Service，你自己可以设计一万种方法来跟踪Session。 -miketany(MIKE老狼); 2002-5-28 (#545283@0)

I know what you mean.you are right,in your circumstance,we don't need session at all,but you have to send the auth info in your SOAP message every time you invoke a method which is secured by server, becuase HTTP is a stateless protocol.

I thought what we have discussed is a browser client. -sunnyhoo(sunny); 2002-5-28 {274} (#545572@0)

there is one thing I am not sure, Is Web Service designed for browser? I use it only in application. If browser client, why not asp,jsp? -miketany(MIKE老狼); 2002-5-28 (#545732@0)

let's discuss the direct use of SOAP on J2EE first -sunnyhoo(sunny); 2002-5-28 {847} (#545022@0)

My web service will be called by clients developed by other organizations, even in languages other than Java. What I expect is high level support of session tracking, something specified in WSDL specification.The reason is simple; it is easy for various clients to have the same functionality. -std(std); 2002-5-28 {84} (#545159@0)

in .NET environment, you just input some stuff in Web.Config<authentication mode="Forms">
<forms name=".G3EAUTH" loginUrl="Main/Logon.aspx" protection="All">
</forms>
</authentication>

<authorization>
<allow users="*"/>
</authorization>

So, you can handle security same as ASP -cdr(spiderdog4); 2002-5-28 {252} (#545316@0)
let's talk something about WebServices on Weblogic -sunnyhoo(sunny); 2002-5-28 {1665} (#545518@0)

Thank you for your information. Session tracking in XML base RPC is "web service container dependent". -std(std); 2002-5-28 (#545601@0)

maybe,the more generical way to authentication and authorization is1.define two SOAP message API,like this
get_AuthToken
discard_AuthToken

2.add authToken infomation to all the SOAP message API which you want to be authenticated

3.describe your SOAP message API in WSDL

4. use get_AuthToken API to get auth token from server.

5.put the token in your SOAP message you want to be authenticated and send to server

6.the server uses it platform-related machanism to authenticate and authorize -sunnyhoo(sunny); 2002-5-28 {440} (#546191@0)

My understanding so far1)I will not expect WSDL to support session now . That might be the reason BEA weblogic does not support stateful session bean.
point 2-3 are my speculation about weblogic "session"

2)Add a fillter in front of the servlet to implement ACL/authentication. The auth_token is a parameter in SOAP will be returned by client by default (simillar to cookie in HTTP.)
3)A user database for role based authentication.

I think uid has smillar idea in post #543925 -std(std); 2002-5-29 {466} (#546274@0)

在MSDN的关于Seb Service的安全性的文章里讲述了各种Web Service的安全情况，他们采用的办法是先让客户Logon一次，然后发给客户一个AuthID。每次客户调用时都提供这个AuthID，服务器端用这个AuthID来验证权限。这个AuthID寿命是一天。你的理解我想应该不会错。为了适应性好，不要试图在已有的标准里加入自己的东西。 -miketany(MIKE老狼); 2002-5-29 {162} (#546658@0)

我想问这问题的老兄是把WEB SERVICE 和WEB SERVER 混为一堂只要用到WEB SERVER就会有SESSION，当你通过HTTP CALL WEB SERVICE时，安全还是通过WEB SERVER实现，和WEB SERVICE的概念无关。 -nice2002(nice2002); 2002-5-29 {119} (#546631@0)

@Las Vegas

Topic

More Topics