users@jersey.java.net

Jersey and SSO

From: Yu, Xiaohui <Xiaohui.Yu_at_onstar.com>
Date: Mon, 23 Aug 2010 18:21:43 -0400

Hi,

Recently I've been investigating some session timeout issue with Jersey within Weblogic. I used SAML token to authenticate with the application server to get a session id, and in turn used that to access Jersey application. Everything seems to be working fine except the session is not timing out as specified in web.xml.

It is noticed by default no http session is created when accessing Jersey app. I can use @Context to enforce it, but that's not ideal as I don't want to have @Context on my service interface. I can think of some other ways but is there any configuration in Jersey that would ensure a http session being created when app is accessed? Or it's not there?

I'm aware a REST service is supposed to be stateless. Thus what would be the recommended way to handle this in a security setting like what I described? There are common issues such as session timeout and SSO logout.

Thanks,
John Yu