You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Jesse O'Neill-Oine <je...@refactr.com> on 2009/06/04 17:47:59 UTC
JSecurity (Ki) and subdomains
I have a web application that is using JSecurity and also uses wildcard DNS
to allow for subdomains (and also sub-subdomains). I'm having a problem
getting people logged in properly.
The problem goes like this:1. User goes to http://subdomain.myapp.com/ and
fills in a login form with their credentials.
2. Upon form submission we log them in and then redirect them to
http://user.subdomain.myapp.com/
3. They end up at their site, but they are no longer logged in because they
logged into the subdomain, not the sub-subdomain.
If the user uses the login form on http://user.subdomain.myapp.com/ then
everything works fine.
Is there a way to tell JSecurity that a login is valid for the entire domain
(i.e. myapp.com) or the entire subdomain (i.e. subdomain.myapp.com) rather
than just the actual domain they are on when they submit the form?
Thanks,
Jesse
PS - http://jsecurity.org seems to be down.
http://incubator.apache.org/ki/is fine though.
--
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Jesse O'Neill-Oine // jesse@refactr.com
Refactr LLC // http://refactr.com
mobile // 612-670-5037
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Re: JSecurity (Ki) and subdomains
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jesse,
The commit went in on SVN rev. 781880. Here's the resolved issue:
https://issues.apache.org/jira/browse/KI-80
Cheers,
Les
On Thu, Jun 4, 2009 at 2:12 PM, Les Hazlewood <lh...@apache.org> wrote:
> I totally agree.
>
>
> On Thu, Jun 4, 2009 at 1:00 PM, Jeremy Haile <jh...@fastmail.fm> wrote:
>
>> Yeah - I think we could come up with some configuration param for that.
>> e.g. "useDomainCookie"
>> However - I think the default shouldn't do that. There are plenty of
>> times where the security on one subdomain should not transfer to another
>> subdomain.
>>
>> On Jun 4, 2009, at 12:53 PM, Les Hazlewood wrote:
>>
>> I'm wondering if we could provide some mechanism that allows the user to
>> specify they want Ki to automatically provide the .domain value, allowing
>> for dynamic deployment and lessens the possibility of erroneous
>> configuration or mistyping...
>>
>> On Thu, Jun 4, 2009 at 12:30 PM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
>>
>>> I don't have much experience in this area, but I tend to think it should
>>> be set in such a way that anything "sub" where you are should be included.
>>> That way, if you were on myapp.com then the cookie would be ".myapp.com"
>>> but if you were on subdomain.myapp.com the cookie would be ".
>>> subdomain.myapp.com" so it's only opening up further subdomains, not
>>> superdomains (no idea if that's a valid term).
>>> I would also be fine with a configuration option.
>>>
>>> Jesse
>>>
>>>
>>> On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <jh...@fastmail.fm>wrote:
>>>
>>>> I don't think we should set it at the domain level by default.
>>>> Les, are you thinking we should be setting the cookie ".
>>>> subdomain.myapp.com" or ".myapp.com" by default?
>>>>
>>>> I'd be ok going with ".subdomain.myapp.com" OR just changing it so the
>>>> user can configure what domain to set the cookie for.
>>>>
>>>>
>>>> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
>>>>
>>>> Hi Jesse,
>>>>
>>>> This problem is related to cross-domain cookies, which Ki mistakenly
>>>> does not set by default. If you open a Jira issue, I can have this fix
>>>> committed sometime today.
>>>>
>>>> Reference:
>>>> http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
>>>>
>>>> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
>>>>
>>>>> I have a web application that is using JSecurity and also uses wildcard
>>>>> DNS to allow for subdomains (and also sub-subdomains). I'm having a problem
>>>>> getting people logged in properly.
>>>>> The problem goes like this: 1. User goes to
>>>>> http://subdomain.myapp.com/ and fills in a login form with their
>>>>> credentials.
>>>>> 2. Upon form submission we log them in and then redirect them to
>>>>> http://user.subdomain.myapp.com/
>>>>> 3. They end up at their site, but they are no longer logged in because
>>>>> they logged into the subdomain, not the sub-subdomain.
>>>>>
>>>>> If the user uses the login form on http://user.subdomain.myapp.com/then everything works fine.
>>>>>
>>>>> Is there a way to tell JSecurity that a login is valid for the entire
>>>>> domain (i.e. myapp.com) or the entire subdomain (i.e.
>>>>> subdomain.myapp.com) rather than just the actual domain they are on
>>>>> when they submit the form?
>>>>>
>>>>> Thanks,
>>>>> Jesse
>>>>>
>>>>> PS - http://jsecurity.org seems to be down.
>>>>> http://incubator.apache.org/ki/ is fine though.
>>>>>
>>>>> --
>>>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>>>> Jesse O'Neill-Oine // jesse@refactr.com
>>>>> Refactr LLC // http://refactr.com
>>>>> mobile // 612-670-5037
>>>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>> Jesse O'Neill-Oine // jesse@refactr.com
>>> Refactr LLC // http://refactr.com
>>> mobile // 612-670-5037
>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>>
>>
>>
>>
>
Re: JSecurity (Ki) and subdomains
Posted by Les Hazlewood <lh...@apache.org>.
I totally agree.
On Thu, Jun 4, 2009 at 1:00 PM, Jeremy Haile <jh...@fastmail.fm> wrote:
> Yeah - I think we could come up with some configuration param for that.
> e.g. "useDomainCookie"
> However - I think the default shouldn't do that. There are plenty of times
> where the security on one subdomain should not transfer to another
> subdomain.
>
> On Jun 4, 2009, at 12:53 PM, Les Hazlewood wrote:
>
> I'm wondering if we could provide some mechanism that allows the user to
> specify they want Ki to automatically provide the .domain value, allowing
> for dynamic deployment and lessens the possibility of erroneous
> configuration or mistyping...
>
> On Thu, Jun 4, 2009 at 12:30 PM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
>
>> I don't have much experience in this area, but I tend to think it should
>> be set in such a way that anything "sub" where you are should be included.
>> That way, if you were on myapp.com then the cookie would be ".myapp.com"
>> but if you were on subdomain.myapp.com the cookie would be ".
>> subdomain.myapp.com" so it's only opening up further subdomains, not
>> superdomains (no idea if that's a valid term).
>> I would also be fine with a configuration option.
>>
>> Jesse
>>
>>
>> On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <jh...@fastmail.fm> wrote:
>>
>>> I don't think we should set it at the domain level by default.
>>> Les, are you thinking we should be setting the cookie ".
>>> subdomain.myapp.com" or ".myapp.com" by default?
>>>
>>> I'd be ok going with ".subdomain.myapp.com" OR just changing it so the
>>> user can configure what domain to set the cookie for.
>>>
>>>
>>> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
>>>
>>> Hi Jesse,
>>>
>>> This problem is related to cross-domain cookies, which Ki mistakenly does
>>> not set by default. If you open a Jira issue, I can have this fix committed
>>> sometime today.
>>>
>>> Reference:
>>> http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
>>>
>>> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
>>>
>>>> I have a web application that is using JSecurity and also uses wildcard
>>>> DNS to allow for subdomains (and also sub-subdomains). I'm having a problem
>>>> getting people logged in properly.
>>>> The problem goes like this: 1. User goes to http://subdomain.myapp.com/and fills in a login form with their credentials.
>>>> 2. Upon form submission we log them in and then redirect them to
>>>> http://user.subdomain.myapp.com/
>>>> 3. They end up at their site, but they are no longer logged in because
>>>> they logged into the subdomain, not the sub-subdomain.
>>>>
>>>> If the user uses the login form on http://user.subdomain.myapp.com/then everything works fine.
>>>>
>>>> Is there a way to tell JSecurity that a login is valid for the entire
>>>> domain (i.e. myapp.com) or the entire subdomain (i.e.
>>>> subdomain.myapp.com) rather than just the actual domain they are on
>>>> when they submit the form?
>>>>
>>>> Thanks,
>>>> Jesse
>>>>
>>>> PS - http://jsecurity.org seems to be down.
>>>> http://incubator.apache.org/ki/ is fine though.
>>>>
>>>> --
>>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>>> Jesse O'Neill-Oine // jesse@refactr.com
>>>> Refactr LLC // http://refactr.com
>>>> mobile // 612-670-5037
>>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>> Jesse O'Neill-Oine // jesse@refactr.com
>> Refactr LLC // http://refactr.com
>> mobile // 612-670-5037
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>
>
>
>
Re: JSecurity (Ki) and subdomains
Posted by Jeremy Haile <jh...@fastmail.fm>.
Yeah - I think we could come up with some configuration param for
that. e.g. "useDomainCookie"
However - I think the default shouldn't do that. There are plenty of
times where the security on one subdomain should not transfer to
another subdomain.
On Jun 4, 2009, at 12:53 PM, Les Hazlewood wrote:
> I'm wondering if we could provide some mechanism that allows the
> user to specify they want Ki to automatically provide the .domain
> value, allowing for dynamic deployment and lessens the possibility
> of erroneous configuration or mistyping...
>
> On Thu, Jun 4, 2009 at 12:30 PM, Jesse O'Neill-Oine
> <je...@refactr.com> wrote:
> I don't have much experience in this area, but I tend to think it
> should be set in such a way that anything "sub" where you are should
> be included. That way, if you were on myapp.com then the cookie
> would be ".myapp.com" but if you were on subdomain.myapp.com the
> cookie would be ".subdomain.myapp.com" so it's only opening up
> further subdomains, not superdomains (no idea if that's a valid term).
>
> I would also be fine with a configuration option.
>
> Jesse
>
>
> On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <jh...@fastmail.fm>
> wrote:
> I don't think we should set it at the domain level by default.
>
> Les, are you thinking we should be setting the cookie
> ".subdomain.myapp.com" or ".myapp.com" by default?
>
> I'd be ok going with ".subdomain.myapp.com" OR just changing it so
> the user can configure what domain to set the cookie for.
>
>
> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
>
>> Hi Jesse,
>>
>> This problem is related to cross-domain cookies, which Ki
>> mistakenly does not set by default. If you open a Jira issue, I
>> can have this fix committed sometime today.
>>
>> Reference: http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
>>
>> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <jesse@refactr.com
>> > wrote:
>> I have a web application that is using JSecurity and also uses
>> wildcard DNS to allow for subdomains (and also sub-subdomains). I'm
>> having a problem getting people logged in properly.
>>
>> The problem goes like this:
>> 1. User goes to http://subdomain.myapp.com/ and fills in a login
>> form with their credentials.
>> 2. Upon form submission we log them in and then redirect them to http://user.subdomain.myapp.com/
>> 3. They end up at their site, but they are no longer logged in
>> because they logged into the subdomain, not the sub-subdomain.
>>
>> If the user uses the login form on http://user.subdomain.myapp.com/
>> then everything works fine.
>>
>> Is there a way to tell JSecurity that a login is valid for the
>> entire domain (i.e. myapp.com) or the entire subdomain (i.e.
>> subdomain.myapp.com) rather than just the actual domain they are on
>> when they submit the form?
>>
>> Thanks,
>> Jesse
>>
>> PS - http://jsecurity.org seems to be down. http://incubator.apache.org/ki/
>> is fine though.
>>
>> --
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>> Jesse O'Neill-Oine // jesse@refactr.com
>> Refactr LLC // http://refactr.com
>> mobile // 612-670-5037
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>
>
>
>
>
> --
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
> Jesse O'Neill-Oine // jesse@refactr.com
> Refactr LLC // http://refactr.com
> mobile // 612-670-5037
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>
Re: JSecurity (Ki) and subdomains
Posted by Les Hazlewood <lh...@apache.org>.
I'm wondering if we could provide some mechanism that allows the user to
specify they want Ki to automatically provide the .domain value, allowing
for dynamic deployment and lessens the possibility of erroneous
configuration or mistyping...
On Thu, Jun 4, 2009 at 12:30 PM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
> I don't have much experience in this area, but I tend to think it should be
> set in such a way that anything "sub" where you are should be included. That
> way, if you were on myapp.com then the cookie would be ".myapp.com" but if
> you were on subdomain.myapp.com the cookie would be ".subdomain.myapp.com"
> so it's only opening up further subdomains, not superdomains (no idea if
> that's a valid term).
> I would also be fine with a configuration option.
>
> Jesse
>
>
> On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <jh...@fastmail.fm> wrote:
>
>> I don't think we should set it at the domain level by default.
>> Les, are you thinking we should be setting the cookie ".
>> subdomain.myapp.com" or ".myapp.com" by default?
>>
>> I'd be ok going with ".subdomain.myapp.com" OR just changing it so the
>> user can configure what domain to set the cookie for.
>>
>>
>> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
>>
>> Hi Jesse,
>>
>> This problem is related to cross-domain cookies, which Ki mistakenly does
>> not set by default. If you open a Jira issue, I can have this fix committed
>> sometime today.
>>
>> Reference:
>> http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
>>
>> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
>>
>>> I have a web application that is using JSecurity and also uses wildcard
>>> DNS to allow for subdomains (and also sub-subdomains). I'm having a problem
>>> getting people logged in properly.
>>> The problem goes like this: 1. User goes to http://subdomain.myapp.com/and fills in a login form with their credentials.
>>> 2. Upon form submission we log them in and then redirect them to
>>> http://user.subdomain.myapp.com/
>>> 3. They end up at their site, but they are no longer logged in because
>>> they logged into the subdomain, not the sub-subdomain.
>>>
>>> If the user uses the login form on http://user.subdomain.myapp.com/ then
>>> everything works fine.
>>>
>>> Is there a way to tell JSecurity that a login is valid for the entire
>>> domain (i.e. myapp.com) or the entire subdomain (i.e.
>>> subdomain.myapp.com) rather than just the actual domain they are on when
>>> they submit the form?
>>>
>>> Thanks,
>>> Jesse
>>>
>>> PS - http://jsecurity.org seems to be down.
>>> http://incubator.apache.org/ki/ is fine though.
>>>
>>> --
>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>> Jesse O'Neill-Oine // jesse@refactr.com
>>> Refactr LLC // http://refactr.com
>>> mobile // 612-670-5037
>>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>>
>>
>>
>>
>
>
> --
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
> Jesse O'Neill-Oine // jesse@refactr.com
> Refactr LLC // http://refactr.com
> mobile // 612-670-5037
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>
Re: JSecurity (Ki) and subdomains
Posted by Jesse O'Neill-Oine <je...@refactr.com>.
I don't have much experience in this area, but I tend to think it should be
set in such a way that anything "sub" where you are should be included. That
way, if you were on myapp.com then the cookie would be ".myapp.com" but if
you were on subdomain.myapp.com the cookie would be ".subdomain.myapp.com"
so it's only opening up further subdomains, not superdomains (no idea if
that's a valid term).
I would also be fine with a configuration option.
Jesse
On Thu, Jun 4, 2009 at 11:14 AM, Jeremy Haile <jh...@fastmail.fm> wrote:
> I don't think we should set it at the domain level by default.
> Les, are you thinking we should be setting the cookie ".
> subdomain.myapp.com" or ".myapp.com" by default?
>
> I'd be ok going with ".subdomain.myapp.com" OR just changing it so the
> user can configure what domain to set the cookie for.
>
>
> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
>
> Hi Jesse,
>
> This problem is related to cross-domain cookies, which Ki mistakenly does
> not set by default. If you open a Jira issue, I can have this fix committed
> sometime today.
>
> Reference:
> http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
>
> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
>
>> I have a web application that is using JSecurity and also uses wildcard
>> DNS to allow for subdomains (and also sub-subdomains). I'm having a problem
>> getting people logged in properly.
>> The problem goes like this: 1. User goes to http://subdomain.myapp.com/and fills in a login form with their credentials.
>> 2. Upon form submission we log them in and then redirect them to
>> http://user.subdomain.myapp.com/
>> 3. They end up at their site, but they are no longer logged in because
>> they logged into the subdomain, not the sub-subdomain.
>>
>> If the user uses the login form on http://user.subdomain.myapp.com/ then
>> everything works fine.
>>
>> Is there a way to tell JSecurity that a login is valid for the entire
>> domain (i.e. myapp.com) or the entire subdomain (i.e. subdomain.myapp.com)
>> rather than just the actual domain they are on when they submit the form?
>>
>> Thanks,
>> Jesse
>>
>> PS - http://jsecurity.org seems to be down.
>> http://incubator.apache.org/ki/ is fine though.
>>
>> --
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>> Jesse O'Neill-Oine // jesse@refactr.com
>> Refactr LLC // http://refactr.com
>> mobile // 612-670-5037
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>
>
>
>
--
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Jesse O'Neill-Oine // jesse@refactr.com
Refactr LLC // http://refactr.com
mobile // 612-670-5037
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Re: JSecurity (Ki) and subdomains
Posted by Les Hazlewood <lh...@apache.org>.
I was only going to provide passthrough methods to allow the user to call
Cookie.setDomain() if they want to. If they don't, the behavior will stay
the same (cookie.setDomain() will not be called).
On Thu, Jun 4, 2009 at 12:14 PM, Jeremy Haile <jh...@fastmail.fm> wrote:
> I don't think we should set it at the domain level by default.
> Les, are you thinking we should be setting the cookie ".
> subdomain.myapp.com" or ".myapp.com" by default?
>
> I'd be ok going with ".subdomain.myapp.com" OR just changing it so the
> user can configure what domain to set the cookie for.
>
>
> On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
>
> Hi Jesse,
>
> This problem is related to cross-domain cookies, which Ki mistakenly does
> not set by default. If you open a Jira issue, I can have this fix committed
> sometime today.
>
> Reference:
> http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
>
> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
>
>> I have a web application that is using JSecurity and also uses wildcard
>> DNS to allow for subdomains (and also sub-subdomains). I'm having a problem
>> getting people logged in properly.
>> The problem goes like this: 1. User goes to http://subdomain.myapp.com/and fills in a login form with their credentials.
>> 2. Upon form submission we log them in and then redirect them to
>> http://user.subdomain.myapp.com/
>> 3. They end up at their site, but they are no longer logged in because
>> they logged into the subdomain, not the sub-subdomain.
>>
>> If the user uses the login form on http://user.subdomain.myapp.com/ then
>> everything works fine.
>>
>> Is there a way to tell JSecurity that a login is valid for the entire
>> domain (i.e. myapp.com) or the entire subdomain (i.e. subdomain.myapp.com)
>> rather than just the actual domain they are on when they submit the form?
>>
>> Thanks,
>> Jesse
>>
>> PS - http://jsecurity.org seems to be down.
>> http://incubator.apache.org/ki/ is fine though.
>>
>> --
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>> Jesse O'Neill-Oine // jesse@refactr.com
>> Refactr LLC // http://refactr.com
>> mobile // 612-670-5037
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>
>
>
>
Re: JSecurity (Ki) and subdomains
Posted by Jeremy Haile <jh...@fastmail.fm>.
I don't think we should set it at the domain level by default.
Les, are you thinking we should be setting the cookie
".subdomain.myapp.com" or ".myapp.com" by default?
I'd be ok going with ".subdomain.myapp.com" OR just changing it so the
user can configure what domain to set the cookie for.
On Jun 4, 2009, at 12:10 PM, Les Hazlewood wrote:
> Hi Jesse,
>
> This problem is related to cross-domain cookies, which Ki mistakenly
> does not set by default. If you open a Jira issue, I can have this
> fix committed sometime today.
>
> Reference: http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
>
> On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine
> <je...@refactr.com> wrote:
> I have a web application that is using JSecurity and also uses
> wildcard DNS to allow for subdomains (and also sub-subdomains). I'm
> having a problem getting people logged in properly.
>
> The problem goes like this:
> 1. User goes to http://subdomain.myapp.com/ and fills in a login
> form with their credentials.
> 2. Upon form submission we log them in and then redirect them to http://user.subdomain.myapp.com/
> 3. They end up at their site, but they are no longer logged in
> because they logged into the subdomain, not the sub-subdomain.
>
> If the user uses the login form on http://user.subdomain.myapp.com/
> then everything works fine.
>
> Is there a way to tell JSecurity that a login is valid for the
> entire domain (i.e. myapp.com) or the entire subdomain (i.e.
> subdomain.myapp.com) rather than just the actual domain they are on
> when they submit the form?
>
> Thanks,
> Jesse
>
> PS - http://jsecurity.org seems to be down. http://incubator.apache.org/ki/
> is fine though.
>
> --
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
> Jesse O'Neill-Oine // jesse@refactr.com
> Refactr LLC // http://refactr.com
> mobile // 612-670-5037
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>
Re: JSecurity (Ki) and subdomains
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jesse,
This problem is related to cross-domain cookies, which Ki mistakenly does
not set by default. If you open a Jira issue, I can have this fix committed
sometime today.
Reference:
http://blog.cylenceweb.com/2008/11/30/cross-subdomain-cookies-on-different-servers/
On Thu, Jun 4, 2009 at 11:47 AM, Jesse O'Neill-Oine <je...@refactr.com>wrote:
> I have a web application that is using JSecurity and also uses wildcard DNS
> to allow for subdomains (and also sub-subdomains). I'm having a problem
> getting people logged in properly.
> The problem goes like this: 1. User goes to http://subdomain.myapp.com/and fills in a login form with their credentials.
> 2. Upon form submission we log them in and then redirect them to
> http://user.subdomain.myapp.com/
> 3. They end up at their site, but they are no longer logged in because they
> logged into the subdomain, not the sub-subdomain.
>
> If the user uses the login form on http://user.subdomain.myapp.com/ then
> everything works fine.
>
> Is there a way to tell JSecurity that a login is valid for the entire
> domain (i.e. myapp.com) or the entire subdomain (i.e. subdomain.myapp.com)
> rather than just the actual domain they are on when they submit the form?
>
> Thanks,
> Jesse
>
> PS - http://jsecurity.org seems to be down.
> http://incubator.apache.org/ki/ is fine though.
>
> --
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
> Jesse O'Neill-Oine // jesse@refactr.com
> Refactr LLC // http://refactr.com
> mobile // 612-670-5037
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>