RestSessions are used for grantingÂ access to role protected services. Create a RestSession handle within a business login service by calling gateway.createRestSession
/** * Create a new authorized rest session (will be published within grid upon request) * @param perm provide the permissions, associated with this session * @param user a user object * @param userAgent the user client information (browserID, etc) * @param timeOut the timeout in seconds * @return the RestSession handle */ RestSession createRestSession (List<Permission> perm, Object user, String userAgent, int timeOut); /** * Remove an authorized RestSession from Resoa (removal will be published within grid) * @param restSessionID rest sessionID */ void removeRestSession(String restSessionID);
The permissions of the sessionÂ defineÂ the access controlÂ to protected services. The permission service property is interpreted by ‘startWith’, so specifying a package name will be enough. Beside the service restriction you should add at least on role to the permission handle.
Details about RestSessions
- RestSessions are identified by Cookie, HTTP Authorization header (format: RESOA + SPACE + JSON representation of a RestSession instance) or Query string with the key SID/SSID.
- The createRestSession call to a resoa gateway will automatically add a Set-Cookie header to the HTTPServletResponse for the session ID. If the request arrived by secure protocol, a second Set-Cookie header is added for a secure session ID.
- If you don’t like to support cookies, you might transfer the session data once after a successful authorization request and cache it within your client app.
- Resoa RestSessions containÂ two sessionIDs: One for HTTP requests, a different on for secure protocols like HTTPS. If you transmit the secure sessionID within an unsecure request, the RestSession becomes invalidated by the ResoaGateway.
- RestSessions are cached locally and will run into timeout if not refreshed, i.e by a HTTPRequest. Timeout will cause an invalidation of the session within the grid
- If a RestSession id is unknown on a grid node, it is checked against all active nodes for validity. If one grid validates OK, the request is granted, otherwise the session becomes invalidated.
- Call the gateway.removeRestSession i.e. within a Logout service. The response will remove the session cookies on client side.
- If enabled within the gateway configuration, the userAgent information is validated for every request as well. If the current agent does not match the initiating agent, the session becomes invalidated.