I'd like to secure my (Java metro) webservice with a login.
Here's how I'm planning to do that:
Steps required when calling a webservice method are:
my questions: 1. what's your opinion on this approach? does it make sense? 2. are there any libraries which take the burden of writing a session handling (maybe with database persistence to survive app restarts)
(the solution should be simple and easily usable with Java and .NET clients)
thanks!
This is feasible and I've seen web services using a similar approach. But I wouldn't implement my own custom solution. Instead, I would use a Security Token from the WS-Security specification and, more precisely a Username Token (you get this from WSIT which is part of Metro and is thus interoperable with .NET clients). Have a look at this article for an introduction.
Update: More pointers:
I can't say that I found WS-Security very friendly but, still, my experience is that using WS-Security takes less time than implementing a custom solution, is more secure and scales better (checking the database at each call has a cost).
Edit:
Corrected the first two links, because they were dead. Couldn't find one for the third but I think the second should cover that.