cayenne-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1384997 - /cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
Date Sat, 15 Sep 2012 02:05:21 GMT
Author: aadamchik
Date: Sat Sep 15 02:05:20 2012
New Revision: 1384997

CAY-1739 Cayenne ROP server resets session on every request if BASIC auth is


(cherry picked from commit f837c847118f4a9185c21c7c47d1143fcd6eb9c6)


Modified: cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
--- cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
+++ cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
Sat Sep 15 02:05:20 2012
@@ -4,6 +4,21 @@
 	<title>ROP Deployment</title>
 	<section xml:id="deploying-rop-server">
 		<title>Deploying ROP Server</title>
+		<para>Recent versions of Tomcat and Jetty containers (e.g. Tomcat 6 and 7, Jetty
8) are
+			addressing a security concern related to "session fixation problem" by resetting the
+			existing session ID of any request that requires BASIC authentcaition. If ROP service
+			protected with declarative security (see the the ROP tutorial and the following chapters
+			on security), this feature prevents the ROP client from attaching to its session,
+			resulting in MissingSessionExceptions. To solve that you will need to either switch to
+			an alternative security mechanism, or disable "session fixation problem" protections of
+			the container. E.g. the later can be achieved in Tomcat 7 by adding the following
+				<emphasis>context.cml</emphasis> file to the webapp's META-INF/ directory:
+			<programlisting>&lt;Context>
+	&lt;Valve className="org.apache.catalina.authenticator.BasicAuthenticator" 
+			changeSessionIdOnAuthentication="false" />
+			&lt;Valve> tag can also be placed within the &lt;Context> in any other locations
used by
+			Tomcat to load context configurations)</para>
 	<section xml:id="deploying-rop-client">
 		<title>Deploying ROP Client</title>

View raw message