RestSessions, Security

RestSessions are used for granting access to role protected services. Create a RestSession handle within a business login service by calling gateway.createRestSession

/**
* Create a new authorized rest session (will be published within grid upon request)
* @param perm provide the permissions, associated with this session
* @param user a user object
* @param userAgent the user client information (browserID, etc)
* @param timeOut the timeout in seconds
* @return the RestSession handle
*/
RestSession createRestSession (List<Permission> perm,
Object user, String userAgent, int timeOut);

/**
 * Remove an authorized RestSession from Resoa (removal will be published within grid)
 * @param restSessionID rest sessionID
 */
void removeRestSession(String restSessionID);

The permissions of the session define the access control to protected services. The permission service property is interpreted by ‘startWith’, so specifying a package name will be enough. Beside the service restriction you should add at least on role to the permission handle.

Details about RestSessions

  • RestSessions are identified by Cookie, HTTP Authorization header (format: RESOA + SPACE + JSON representation of a RestSession instance) or Query string with the key SID/SSID.
  • The createRestSession call to a resoa gateway will automatically add a Set-Cookie header to the HTTPServletResponse for the session ID. If the request arrived by secure protocol, a second Set-Cookie header is added for a secure session ID.
  • If you don’t like to support cookies, you might transfer the session data once after a successful authorization request and cache it within your client app.
  • Resoa RestSessions contain two sessionIDs: One for HTTP requests, a different on for secure protocols like HTTPS. If you transmit the secure sessionID within an unsecure request, the RestSession becomes invalidated by the ResoaGateway.
  • RestSessions are cached locally and will run into timeout if not refreshed, i.e by a HTTPRequest. Timeout will cause an invalidation of the session within the grid
  • If a RestSession id is unknown on a grid node, it is checked against all active nodes for validity. If one grid validates OK, the request is granted, otherwise the session becomes invalidated.
  • Call the gateway.removeRestSession i.e. within a Logout service. The response will remove the session cookies on client side.
  • If enabled within the gateway configuration, the userAgent information is validated for every request as well. If the current agent does not match the initiating agent, the session becomes invalidated.