tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 32837] New: - double login when using ;jsessionid=
Date Fri, 24 Dec 2004 09:22:44 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32837>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=32837

           Summary: double login when using ;jsessionid=
           Product: Tomcat 5
           Version: Unknown
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet & JSP API
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: tom@tbee.org


The situation is somewhat complex:

- There is a webapp using JDBCRealm
- In the webapp there is a Java Web Start application.
  The JNLP URL is not part of the realm because of an IE cache bug.
- There is a Hessian service that is used from the JWS application.
  (Hessian is a binary protocol via HTTP for remote method invocation.)
  The Hessian service (servlet) is part of the realm otherwise
  the principal might not be set (there is a bug # about this).

The Hessian servlet needs to know the logged in user for its DB access. This 
means it has to execute getUserPrincipal and therefor needs to be part of the 
same session as was authenicated. 

However a JWS app does not inherit the cookies of its browser. To solve this, 
the URL accessing the Hessian servlet has a ";jsessionid=" set (the sessionid 
is passed via de dynamically generated JNLP file).

What happens the first time the application is started:
- Open index.html: login dialog appears
- Login is succesful
- Click on JNLP file
- JNLP is generated with current sessionid inside
- JWS application is downloaded
- JWS constructs the URL with ";jsessionid=" attached
- Login dialog appears (by JWS)
- Hessian service is access within same session.

So the solution works, but there is a second login by the JWS enviroment. If 
the browser is stopped and restarted, there is no second login. 

Since the need for the login is determined by the webapp server (Tomcat) I must 
place the cause for this behaviour at Tomcat. This happens with 4.1.29 and 
5.5.4. 

Specifying the session id via ";jsessionid=" is a valid way to attach to a 
session, so it currently is my opinion this behaviour is not correct.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message