Hi,
While trying to find out if a server is allowed to create sessions for
REST services, I didn't find anything in Java EE specifications.
Some background information: we did some performance investigation of
some web services, which don't create sessions by themselves but rely on
Java EE authentication.
It seems that Weblogic creates sessions for that, and even replicates
them in our cluster environment.
While I think this is an implementation choice to handle authentication,
I really think a word of caution should be found in the specs. As you
can guess, this makes it difficult to create stateless, scalable web
services. Our workaround right now is to specify 1-minute sessions and
to disable replication for this application. Shouldn't there be a
standard way to say that you want to have a stateless application?
Any input is welcome.
Thanks,
Yannick Majoros