Best practices for Web service user authentication and session management

Question

As per the title, I am wondering what are some best practices for Web service user authentication and session management, mainly for backend implementation, especially using Java (J2EE).

Has anyone published anything on the subject? What kind of security considerations should one keep in mind when working with user authentication? What kind of design patterns are related? How should sessions be managed? What does a well-designed architecture look like?

Are there existing systems that could be used as good examples, or even bad examples?

Does your question relate to SOAP over HTTP web services? – home Apr 23 '12 at 05:18 — home, Apr 23 '12 at 05:18
@home no -- RESTful services exchanging JSON, mainly. – Shaggy Frog Apr 23 '12 at 08:04 — Shaggy Frog, Apr 23 '12 at 08:04

score 3 · Answer 1 · answered Apr 22 '12 at 02:14

As the Java EE specifications for web services actually consist in exposing a stateless session bean as a web service, you won't be able to implement session management without a "home-made" solution such as including a user token in each of your request.

score 0 · Answer 2 · answered Apr 27 '12 at 13:03

0

Not specifically REST but we use same authentication mechanism for standard webservices as for any other web container request. Means send basic authentication data to backend. Over SSL. Never had any issues.

answered Apr 27 '12 at 13:03

Robert

36
4

Best practices for Web service user authentication and session management

2 Answers2