Hello,
A couple of weeks ago, I wrote this message in the Java EE users mailing
list. Bill Shannon suggested that it would be interesting to post it here.
I'm very interested in your opinions on that.
While trying to find out if a server is allowed to create sessions for
REST services, I didn't find anything in Java EE specifications.
Some background information: we did some performance investigation of
some web services, which don't create sessions by themselves but rely on
Java EE authentication.
It seems that Weblogic creates sessions for that, and even replicates
them in our cluster environment.
While I think this is an implementation choice to handle authentication,
I really think a word of caution should be found in the specs. As you
can guess, this makes it difficult to create stateless, scalable web services.
Our workaround right now is to specify 1-minute sessions and to disable
replication for this application. Shouldn't there be a standard way to say
that you want to have a stateless application?
Any input is welcome.
Thanks,
Yannick Majoros