8.2 Managing Sessions When Using Web Services

The majority of Oracle I/PM web services are capable of operating in either stateless or stateful mode. In stateless mode, authentication credentials passed in each service request are used to transparently log the user in, perform the requested operation, and then log out before returning.

In stateful operation, a call is first made to the LoginService.login operation to establish the user session with I/PM. Credentials to the login method are provided by the security policy currently in effect, or through HTTP Basic Auth if no policy is applied.

The jsessionid cookie returned by the log in operation is subsequently passed to call other services, thus maintaining session state from call to call. Note that web service security still requires that each call pass user credentials in order to comply with OWSM security policy enforcement. A call to LoginService.logout ends the user session.

As mentioned above, most Oracle I/PM services operate in either mode. The exception to this is the DocumentContentService. DocumentContentService operations are capable of leveraging a streaming Message Transmission Optimization Mechanism (MTOM) feature that is incompatible with OWSM security policies. Therefore, the stateful mode is required to wrap appropriate security around DocumentContentService operations.