You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Justin Jaynes <ju...@yahoo.com> on 2004/06/02 23:56:14 UTC
Maintaining Sessions
Hello,
I am running Tomcat 5.0.25 on SuSE Linux 9.1. I am
running ONE Tomcat server with two services:
1. Standalone on port 80, with two hosts:
A. A basic shopping site with a CartBean.java
that I set scope=session when I call it from
JSP's.
B. Another not related host.
2. Standalone SECURE on port 443, with two hosts:
C. The secure checkout site for host A (above)
B. Another secure, but not related, host.
My cart.jsp on host A uses checkout.jsp on host C to
process the request. However, the session with
CartBean objects does not carry over. How do I keep
my session alive from host to host on the same server?
And what if I decide to move the host C to another
server on another machine? Then what?
Or is this the wrong approach? Is there a way to have
SOME secure jsp's on the same host as some non-secure
jsp's?
And do I HAVE to have a WEB-INF directory for both
hosts, or could they somehow share a WEB-INF directory
so I only have to maintain ONE set of classes? I
tried using symbolic-link WEB-INF's to one big WEB-INF
directory, but it did NOT work.
Justin Jaynes
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Maintaining Sessions
Posted by Justin Ruthenbeck <ju...@nextengine.com>.
At 04:22 PM 6/2/2004, you wrote:
>There is a web.xml file in my catalinahome/conf
>directory. I have read that according to some
>specifications somewhere, I should also have a web.xml
>in every WEB-INF directory for each application. Does
>the main web.xml file apply to all applications, and
>the WEB-INF web.xml just add settings to the specific
>applications, or does it OVERRIDE the main web.xml (so
>I would need to include ALL the entries found in the
>main file in ALL of the application level web.xml
>files)?
The app-specific web.xml extends the global one (information
defined in the app-specific one overrides the global one, but
any information not overridden is inherited).
>And what would an entry look like to force one
>specific file to re-direct to the secure port? I can
>only find very vague examples that secure entire
>applications.
This is a Servlet spec thing -- see SRV.12.8 (Servlet2.3).
It's basically something like this in your web.xml (no
guarantees for code correctness here, but it should get you
started):
<security-constraint>
<web-resource-collection>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
>Thanks for the help thus far,
>
>Justin Jaynes
No problem. Good luck.
justin
>--- Justin Ruthenbeck <ju...@nextengine.com> wrote:
> >
> > Hi,
> >
> > Square peg, round hole.
> >
> > It seems like the only reason you've split these
> > into multiple hosts is
> > to differentiate between secure and non-secure
> > communication -- that's a
> > bad idea. From what you've said, the best approach
> > is to put all of the
> > JSPs for (A) and (C) in the same webapp, but set
> > <security-constraint>s
> > for those resources (C) that require https.
> >
> > See:
> >
>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
> >
> > What you're describing here is a deployment-time
> > problem -- it shouldn't
> > impact your code in a major way like distributed
> > sessions would cause.
> >
> > justin
> >
> >
> > At 02:56 PM 6/2/2004, you wrote:
> > >Hello,
> > >
> > >I am running Tomcat 5.0.25 on SuSE Linux 9.1. I am
> > >running ONE Tomcat server with two services:
> > >
> > >1. Standalone on port 80, with two hosts:
> > > A. A basic shopping site with a CartBean.java
> > > that I set scope=session when I call it
> > from
> > > JSP's.
> > > B. Another not related host.
> > >
> > >2. Standalone SECURE on port 443, with two hosts:
> > > C. The secure checkout site for host A
> > (above)
> > > B. Another secure, but not related, host.
> > >
> > >My cart.jsp on host A uses checkout.jsp on host C
> > to
> > >process the request. However, the session with
> > >CartBean objects does not carry over. How do I
> > keep
> > >my session alive from host to host on the same
> > server?
> > > And what if I decide to move the host C to
> > another
> > >server on another machine? Then what?
> > >
> > >Or is this the wrong approach? Is there a way to
> > have
> > >SOME secure jsp's on the same host as some
> > non-secure
> > >jsp's?
> > >
> > >And do I HAVE to have a WEB-INF directory for both
> > >hosts, or could they somehow share a WEB-INF
> > directory
> > >so I only have to maintain ONE set of classes? I
> > >tried using symbolic-link WEB-INF's to one big
> > WEB-INF
> > >directory, but it did NOT work.
> > >
> > >Justin Jaynes
> > >
> > >
> > >
> > >
> > >__________________________________
> > >Do you Yahoo!?
> > >Friends. Fun. Try the all-new Yahoo! Messenger.
> > >http://messenger.yahoo.com/
> > >
> >
> >---------------------------------------------------------------------
> > >To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> >
> >
> > ______________________________________________
> > Justin Ruthenbeck
> > Software Engineer, NextEngine Inc.
> > justinr - AT - nextengine DOT com
> > Confidential. See:
> > http://www.nextengine.com/confidentiality.php
> > ______________________________________________
> >
> >
> >
>---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> >
>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Friends. Fun. Try the all-new Yahoo! Messenger.
>http://messenger.yahoo.com/
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
______________________________________________
Justin Ruthenbeck
Software Engineer, NextEngine Inc.
justinr - AT - nextengine DOT com
Confidential. See:
http://www.nextengine.com/confidentiality.php
______________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Maintaining Sessions
Posted by Justin Jaynes <ju...@yahoo.com>.
That makes sense. I did some reading since you
replied and I realize now that I can have more than
one connector per engine containing multiple hosts.
That also explians the mysterious redirect port
parameter that I couln't make heads nor tails of till
now.
But a few web.xml questions.
There is a web.xml file in my catalinahome/conf
directory. I have read that according to some
specifications somewhere, I should also have a web.xml
in every WEB-INF directory for each application. Does
the main web.xml file apply to all applications, and
the WEB-INF web.xml just add settings to the specific
applications, or does it OVERRIDE the main web.xml (so
I would need to include ALL the entries found in the
main file in ALL of the application level web.xml
files)?
And what would an entry look like to force one
specific file to re-direct to the secure port? I can
only find very vague examples that secure entire
applications.
Thanks for the help thus far,
Justin Jaynes
--- Justin Ruthenbeck <ju...@nextengine.com> wrote:
>
> Hi,
>
> Square peg, round hole.
>
> It seems like the only reason you've split these
> into multiple hosts is
> to differentiate between secure and non-secure
> communication -- that's a
> bad idea. From what you've said, the best approach
> is to put all of the
> JSPs for (A) and (C) in the same webapp, but set
> <security-constraint>s
> for those resources (C) that require https.
>
> See:
>
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
>
> What you're describing here is a deployment-time
> problem -- it shouldn't
> impact your code in a major way like distributed
> sessions would cause.
>
> justin
>
>
> At 02:56 PM 6/2/2004, you wrote:
> >Hello,
> >
> >I am running Tomcat 5.0.25 on SuSE Linux 9.1. I am
> >running ONE Tomcat server with two services:
> >
> >1. Standalone on port 80, with two hosts:
> > A. A basic shopping site with a CartBean.java
> > that I set scope=session when I call it
> from
> > JSP's.
> > B. Another not related host.
> >
> >2. Standalone SECURE on port 443, with two hosts:
> > C. The secure checkout site for host A
> (above)
> > B. Another secure, but not related, host.
> >
> >My cart.jsp on host A uses checkout.jsp on host C
> to
> >process the request. However, the session with
> >CartBean objects does not carry over. How do I
> keep
> >my session alive from host to host on the same
> server?
> > And what if I decide to move the host C to
> another
> >server on another machine? Then what?
> >
> >Or is this the wrong approach? Is there a way to
> have
> >SOME secure jsp's on the same host as some
> non-secure
> >jsp's?
> >
> >And do I HAVE to have a WEB-INF directory for both
> >hosts, or could they somehow share a WEB-INF
> directory
> >so I only have to maintain ONE set of classes? I
> >tried using symbolic-link WEB-INF's to one big
> WEB-INF
> >directory, but it did NOT work.
> >
> >Justin Jaynes
> >
> >
> >
> >
> >__________________________________
> >Do you Yahoo!?
> >Friends. Fun. Try the all-new Yahoo! Messenger.
> >http://messenger.yahoo.com/
> >
>
>---------------------------------------------------------------------
> >To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
>
>
> ______________________________________________
> Justin Ruthenbeck
> Software Engineer, NextEngine Inc.
> justinr - AT - nextengine DOT com
> Confidential. See:
> http://www.nextengine.com/confidentiality.php
> ______________________________________________
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Maintaining Sessions
Posted by Justin Ruthenbeck <ju...@nextengine.com>.
Hi,
Square peg, round hole.
It seems like the only reason you've split these into multiple hosts is
to differentiate between secure and non-secure communication -- that's a
bad idea. From what you've said, the best approach is to put all of the
JSPs for (A) and (C) in the same webapp, but set <security-constraint>s
for those resources (C) that require https.
See: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
What you're describing here is a deployment-time problem -- it shouldn't
impact your code in a major way like distributed sessions would cause.
justin
At 02:56 PM 6/2/2004, you wrote:
>Hello,
>
>I am running Tomcat 5.0.25 on SuSE Linux 9.1. I am
>running ONE Tomcat server with two services:
>
>1. Standalone on port 80, with two hosts:
> A. A basic shopping site with a CartBean.java
> that I set scope=session when I call it from
> JSP's.
> B. Another not related host.
>
>2. Standalone SECURE on port 443, with two hosts:
> C. The secure checkout site for host A (above)
> B. Another secure, but not related, host.
>
>My cart.jsp on host A uses checkout.jsp on host C to
>process the request. However, the session with
>CartBean objects does not carry over. How do I keep
>my session alive from host to host on the same server?
> And what if I decide to move the host C to another
>server on another machine? Then what?
>
>Or is this the wrong approach? Is there a way to have
>SOME secure jsp's on the same host as some non-secure
>jsp's?
>
>And do I HAVE to have a WEB-INF directory for both
>hosts, or could they somehow share a WEB-INF directory
>so I only have to maintain ONE set of classes? I
>tried using symbolic-link WEB-INF's to one big WEB-INF
>directory, but it did NOT work.
>
>Justin Jaynes
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Friends. Fun. Try the all-new Yahoo! Messenger.
>http://messenger.yahoo.com/
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
______________________________________________
Justin Ruthenbeck
Software Engineer, NextEngine Inc.
justinr - AT - nextengine DOT com
Confidential. See:
http://www.nextengine.com/confidentiality.php
______________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org