StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWhere to keep a session information in Java WS
primarykey
Id
10275978
data
AcceptedAnswerId
10276645
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2012-04-23T06:48:10.370
FavoriteCount
2
LastActivityDate
2012-04-23T07:41:29.007
LastEditDate
LastEditorUserId
0
OwnerUserId
372149
ParentId
0
PostTypeId
1
Score
0
ViewCount
162
LastEditorDisplayName
text
Body
I am building a secure system, that must be sure, that the user sending it messages is the same that received an access key. Example. User Bob, has a property <code>uniqueCode</code>, that is unique just to him, and would enable him to receive various information from the server. There is a web service, that has various methods for returning various sensitive data. When a client the user is using first connects to the web service, it does so via authenticate method, that <ol> <li>generates a pseudo random key for this user</li> <li>saves that key on the server and returns it to the user.</li> </ol> Each subsequent request from the client to the WS requires the <code>uniqueCode</code> and the key. If the pair is valid, the request returns the needed information. If there has been no activity for x minutes, the key is invalidated, and the client asks the user to log in again. Now my question is, how to store the key on the server? The key would be a Java object, that could be serialized. My options <ul> <li>Keep them in a session. This is what a senior programmer at the company suggested, but that doesn't seem to be the way to go. Everywhere I read, the suggest that WS should not rely on underlying HTTP sessions.</li> <li>Keep them in a database. A possible solution, but that would require me to create a specific database, adding a whole another level to the problem.</li> <li>Keep them in binary encrypted files. This one seems the way to go, but is it? Since I would generate a key upon login, I could save the key+some info in a binary file, encrypt it by itself, and the pass it to the user. If the key I receive back can decipher the users file, and the information is correct, return the information the user requested.</li> </ul> Is my thinking correct, or am I missing something? I reckon that the last one would be the safest way to go, since if someone gains access to my system, breaking into db would be easy, but deciphering a file without knowing another users key would be quite tough. Thanks!
Tags
<java><web-services><encryption>
Title
Where to keep a session information in Java WS
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USJanis Peisenieks
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POWhere to keep a session information in Java WS
 UserUserId
 USRudy
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POWhere to keep a session information in Java WS
 UserUserId
 USSam
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.