On Aug 24, 2010, at 12:21 AM, Yu, Xiaohui wrote:
> Hi,
>
> Recently I've been investigating some session timeout issue with
> Jersey within Weblogic. I used SAML token to authenticate with the
> application server to get a session id, and in turn used that to
> access Jersey application. Everything seems to be working fine
> except the session is not timing out as specified in web.xml.
>
> It is noticed by default no http session is created when accessing
> Jersey app. I can use @Context to enforce it, but that's not ideal
> as I don't want to have @Context on my service interface. I can
> think of some other ways but is there any configuration in Jersey
> that would ensure a http session being created when app is accessed?
> Or it's not there?
>
> I'm aware a REST service is supposed to be stateless. Thus what
> would be the recommended way to handle this in a security setting
> like what I described? There are common issues such as session
> timeout and SSO logout.
>
>
Usually i would recommend using an HTTP authentication mechanism, but
sometimes the use of cookies with HTTP sessions often unavoidable
since it is such a common mechanism to support "logging in".
As Martin says you can inject @Context on your implementation classes.
Otherwise another way is to write a Jersey or Servlet filter that
configures the session. I presume you will need to write some
application code to handle the session and return appropriate
responses when the session times out?
Paul.