You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sergio <se...@strategos.com.br> on 2011/04/05 15:03:08 UTC
Session sharing between context
Hi,
Running with Java5, Tomcat5.5.33, Hibernate, MyFaces+tomahawk on
Debian/Windows.
We have an environment where there will be several instance of the same
webapp running on tomcat (sharing libraries when possible), each
connecting to different database. My idea is to have a webapp dedicated
to login, once the user login I would redirect him to the webapp of his
company (another context, user in the database is associated with
company). Something like this:
http://webapp.strategos.net/ (WebappLogin context on tomcat)
http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat)
http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat)
Is it possible to redirect browser to different context and share http
session that was created in the login context? I'm not using tomcat
authentication, the whole authentication process is done by our webapp
(if required we can change this).
Thanks,
Sergio
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session sharing between context
Posted by Pid <pi...@pidster.com>.
On 4/6/11 7:52 PM, Christopher Schultz wrote:
> Sergio,
>
> On 4/5/2011 9:03 AM, Sergio wrote:
>> We have an environment where there will be several instance of the same
>> webapp running on tomcat (sharing libraries when possible), each
>> connecting to different database. My idea is to have a webapp dedicated
>> to login, once the user login I would redirect him to the webapp of his
>> company (another context, user in the database is associated with
>> company).
>
> That sounds like a security problem waiting to happen: users can
> authenticate to the login webapp and then have free access to any
> company's webapp based just upon URL?
>
>> Something like this:
>
>> http://webapp.strategos.net/ (WebappLogin context on tomcat)
>> http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat)
>> http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat)
>
>> Is it possible to redirect browser to different context and share http
>> session that was created in the login context?
>
> HttpServletResponse.sentRedirect should always work. You just need to
> make sure that the session will be shared. Read the Tomcat documentation
> on SSO for more information.
>
>> I'm not using tomcat
>> authentication, the whole authentication process is done by our webapp
>> (if required we can change this).
>
> I don't believe Tomcat's SSO can work unless you are using Tomcat's
> authentication.
Correct.
If you're using custom auth, you may be able to implement externalised
SSO. There are a number of 3rd party projects that provide this
functionality, which is far more sensible that writing your own from
scratch.
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session sharing between context
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sergio,
On 4/5/2011 9:03 AM, Sergio wrote:
> We have an environment where there will be several instance of the same
> webapp running on tomcat (sharing libraries when possible), each
> connecting to different database. My idea is to have a webapp dedicated
> to login, once the user login I would redirect him to the webapp of his
> company (another context, user in the database is associated with
> company).
That sounds like a security problem waiting to happen: users can
authenticate to the login webapp and then have free access to any
company's webapp based just upon URL?
> Something like this:
>
> http://webapp.strategos.net/ (WebappLogin context on tomcat)
> http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat)
> http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat)
>
> Is it possible to redirect browser to different context and share http
> session that was created in the login context?
HttpServletResponse.sentRedirect should always work. You just need to
make sure that the session will be shared. Read the Tomcat documentation
on SSO for more information.
> I'm not using tomcat
> authentication, the whole authentication process is done by our webapp
> (if required we can change this).
I don't believe Tomcat's SSO can work unless you are using Tomcat's
authentication.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2ctoMACgkQ9CaO5/Lv0PDRAwCghNzyig1d8cE6lSQuNs3ij1lD
6GsAoLoFQNLIzdnq2/sQ3FF52jewndXG
=aTIx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org