• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Secure Web Service Methods and Performance Concern

 
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am developing a set of web services methods for some admin users. now I need to add in some authentication and authorization to secure those methods. Now I have some performance concerns. Say when an admin is using the UI, every time this admin does a submit to a service method, the admin needs to pass through the authentication and authorization process. This seems to be chatty. I understand that web service should be designed to be stateless, but in order to reduce the times of the auth calls, shall I use session for this purpose? that means: when the same user tries to use those secured methods in the same session. He or she only needs to go thru auth once. What is the usual practice on this issue? I am using Axis 1.4 by the way with jdk 1.5.

Thank you.

Rick
[ June 21, 2008: Message edited by: Ricky Murphy ]
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you certain that you need to optimize this? By that I mean whether you have timed the execution of the WS including security, and found that they take too long for the user to endure?

I'm asking because, yes, there's an overhead, but I'd want to be sure that it matters before doing anything about it.

the admin needs to pass through the authentication and authorization process. This seems to be chatty.


I'm not sure what you mean by this. The credentials entered by the human being can be remembered by the client app, so the person doesn't need to go through it more than once. What is "chatty" about that? WS-Security info is tacked onto the SOAP call, so it's not like there are additional WS calls to be made.
 
reply
    Bookmark Topic Watch Topic
  • New Topic