cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XI Authentication and Session

Go to solution
ivan_garcia2
Explorer

on ‎12-12-2006 1:57 PM

0 Kudos

Hi Xiers (XI Experts),

A partner has definied a webservice with session (in first use of the webservices is necessary call a <b>AuthenticateUser</b> webservice that returns a session. Please, see the XSD below).

After the call to the AuthenticateUser webservice I need to pass a session string to all subsequent webservices, like in that shown below (<b>CreateProduct</b>).

<b>My question is</b>: <u><b>this make sense?</b></u> This is better than authenticating every web service? (passing user and pass in every webservice call)

Thanks a lot!

Ivan, from Brazil

<xsd:element name="AuthenticateUser">
<xsd:complexType>
<xsd:sequence>
   <xsd:element name="remoteLoginCode" type="xsd:string" minOccurs="0" />
   <xsd:element name="password" type="xsd:string" minOccurs="0" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="AuthenticateUserResponse">
<xsd:complexType>
<xsd:sequence>
   <xsd:element name="AuthenticateUserResult" type="xsd:string" minOccurs="0" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>

<xsd:element name="CreateProduct">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="session" type="xsd:string" minOccurs="0" />
<xsd:element name="importType" type="ImportType" />
<xsd:element name="list" type="ArrayOfProductType" minOccurs="0" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="CreateProductResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="CreateProductResult" type="ProductTypeResponse" minOccurs="0" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-12-2006 3:37 PM
0 Kudos

Hi Ivan,

a couple of considerations:

1) If you are using HTTPs (as I expect because you are passing user and pwd in the first call) the communication will anyway be secure.

So the use of a session id allow to track who is doing what, so I think this could be enough.

2) If you do not use HTTPs then this could be not enough secure because someone could sniff the session id (as well as user and pwd for the first call) and use it.

3) In general the problem with session is their have temporary validity, so if your message fails in XI, when you restart it, it could be no longer valid because the session id has expired (this is not an issue if the call is synchronous because you cannot reprocess the message anyway). Let's say that authenticating every time could give you more flexibility for asynch scenarios.

So it depends on your requirements of security and if the call is synch or async.

Hope it helps,

Kind Regards,

Sergio

Show replies
Show replies
ivan_garcia2
Explorer
‎12-12-2006 4:06 PM
0 Kudos

Thanks, Sergio.

People, Sergio,

What is the best place to store the <b>session string</b>? In a Z table of ERP? In XI (how, in this case?) Your reply will help not only to understand the session question but the mechanisms of persistence (if any) of XI.

Regards,

Ivan Garcia

Former Member
‎12-12-2006 4:40 PM
0 Kudos

Hi Ivan,

In think that in general this kind of information should be handled by the application (service user), so for example if it is an abap transaction that calls 3 web services in 3 different moments, you should keep in the memory of your abap report or keep it persistent in a Z table dedicated to your application.

If the service user is a workflow you should use the workflow container to store this information. As well If you use a BPM then this info should be kept in the container.

Hope it helps,

Kind Regards,

Sergio

Answers (0)

Ask a Question