tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alberto Rodriguez Galdo" <>
Subject Make Cookie and SavedRequest Serializable to allow proper SSO handling in clustered environments
Date Mon, 11 Sep 2006 11:41:58 GMT

   In our company we have a distributed clustered application that uses
session replication, single sign on and form-based authentication.

   When implementing this scenario we used
Jboss(clustering)+Tomcat(servlets+jsp)+Apache(load balancing).

   If you don't want to use stiky sessions, you're forced to make all
information of a particular user session live in one node of the cluster,
then tomcat is able to find it's SavedRequest Object when authenticating an
user. What's natural is that Apache should be able to choose any of the
cluster nodes to continue the authentication process ( once the user has
been redirected to the login page), but, as SavedRequest is not Serializable
it's impossible for an application server clustering implementation to
replicate the SavedRequest info in the nodes of the cluster.

   We're working hand to hand with jboss in trying to implement this
behaviour (as you can see in and ) and to allow the
serializing of SavedRequest and begin Jboss specific implementation we need
from Tomcat to make
org.apache.catalina.authenticator.SavedRequestSerializable (implements and as a consecuence, make
javax.servlet.http.CookieSerializable too (I know, I know, I've read
the disclaimer regarding JDK
1.01... but...). We've already checked that making both classes Serializable
does not affect to Tomcat's behaviour and eases very much our approach to
the problem in JBoss (and other Application servers that use Tomcat as
servlet/jsp container).

   Is this possible?, Do you want us to send the proper diff files against


Alberto Rodriguez Galdo

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message