I am developing a set of web services methods for some admin users. now I need to add in some authentication and authorization to secure those methods. Now I have some performance concerns. Say when an admin is using the UI, every time this admin does a submit to a service method, the admin needs to pass through the authentication and authorization process. This seems to be chatty. I understand that web service should be designed to be stateless, but in order to reduce the times of the auth calls, shall I use session for this purpose? that means: when the same user tries to use those secured methods in the same session. He or she only needs to go thru auth once. What is the usual practice on this issue? I am using Axis 1.4 by the way with jdk 1.5.
Rick [ June 21, 2008: Message edited by: Ricky Murphy ]
Are you certain that you need to optimize this? By that I mean whether you have timed the execution of the WS including security, and found that they take too long for the user to endure?
I'm asking because, yes, there's an overhead, but I'd want to be sure that it matters before doing anything about it.
the admin needs to pass through the authentication and authorization process. This seems to be chatty.
I'm not sure what you mean by this. The credentials entered by the human being can be remembered by the client app, so the person doesn't need to go through it more than once. What is "chatty" about that? WS-Security info is tacked onto the SOAP call, so it's not like there are additional WS calls to be made.
Those who dance are thought mad by those who hear not the music. This tiny ad plays the bagpipes:
Free, earth friendly heat - from the CodeRanch trailboss