How to secure Java webservices with login and session handling

I'd like to secure my (Java metro) webservice with a login.

Here's how I'm planning to do that:

Steps required when calling a webservice method are:

1. call login(user,pwd), receive a session token 1.1 remember the token
2. call servicemethod (token, arg1, arg2...)
3. webservice checks if the token is known, if not throw exception otherwise proceed
4. logout or timeout after x time periods of inactivity

my questions: 1. what's your opinion on this approach? does it make sense? 2. are there any libraries which take the burden of writing a session handling (maybe with database persistence to survive app restarts)

(the solution should be simple and easily usable with Java and .NET clients)

thanks!

This is feasible and I've seen web services using a similar approach. But I wouldn't implement my own custom solution. Instead, I would use a Security Token from the WS-Security specification and, more precisely a Username Token (you get this from WSIT which is part of Metro and is thus interoperable with .NET clients). Have a look at this article for an introduction.

Update: More pointers:

• Implementing the WS-Security UsernameToken Profile for Metro-based web services
• What's New in Web Services Enhancements (WSE) 3.0
• WebService Authentication with UsernameToken in WSE 3.0
• Implementing Direct Authentication with UsernameToken in WSE 3.0

I can't say that I found WS-Security very friendly but, still, my experience is that using WS-Security takes less time than implementing a custom solution, is more secure and scales better (checking the database at each call has a cost).

Edit:

Corrected the first two links, because they were dead. Couldn't find one for the third but I think the second should cover that.