tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alberto Rodriguez Galdo" <>
Subject Why SavedRequest should be Serializable (or at least not stored in a Session note)
Date Mon, 18 Sep 2006 10:52:24 GMT

   Servlet 2.4 specification states that

   "Migration of sessions will be handled by container-specific facilities."

   "The Container Provider can ensure scalability and quality of service
features like load-balancing and failover by having the ability to move a
session object, and its contents, from any active node of the distributed
system to a different node of the system."

   When Tomcat receives a request for a protected URL, the user is
redirected to the login page and a SavedRequest object is created and stored
as a note in the user session via setNote method of
org.apache.catalina.session.StandardSession (the note then gets stored as an
entry in a Hashtable inside the session).

   As this object is not serializable, when any clustering mechanism outisde
tomcat (such as the ones that implement application servers that embed
tomcat to provide JSP/Servlet processing) no easy mechanism can be provided
to replicate the info of a request to a protected URL before the
authentication is performed with a j_security_check POST (in a form-based
authentication environment).

   Sticky sessions are a way of circunventing this problem but doesn't
provide full load-bancing and failover capabilities.

   What are the chances of transforming
org.apache.catalina.authenticator.SavedRequest in a Serializable Object
and/or storing that object in the session to be easily replicated so this
problem is avoided and full replication schemes would be implemented for SSO
in clustered environments and so on?

Alberto Rodriguez Galdo

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message