tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Sharing sessions across contexts?
Date Fri, 06 Oct 2000 23:34:56 GMT
Lawrence Weeks wrote:

> Hello,
> I searched the archives and founds hints of this being possible?

Sharing sessions across contexts is expressly forbidden by the servlet

There are some fundamental security and technical hurdles to doing things
any other way.  (Consider, for instance, the fact that each context has
their own classloader -- so a session attribute inserted from one webapp
would not be usable in another webapp).

> Does
> anybody know if it is? We have a central servlet that authorizes users,
> displays a menu of valid servlets, and sends the users to the selected
> servlet. We're trying/hoping to use session based security, but cannot
> get the session created by the authorization servlet recognized by
> subsequent servlets. Any help/advice would be very appreciated.

As long as all these servlets run in a single webapp, you would not have
any problems using session based security.

What you are describing is somewhat similar to the "single sign on" support
that was just added to Tomcat 4.0.  It relies on webapps that use the
container-managed security features of the servlet 2.2/2.3 APIs, and works
like this:  the first time the user tries to access a URI protected by a
security constraint, the user must log in according to the login
configuration of that webapp.  However, their user identity is propogated
across all the webapps of this virtual host so the user won't be challenged
to log in to each webapp individually.

Doing this with application-managed security is probably going to require
you to write customized interceptors (Tomcat 3.x) or valves (Tomcat 4.x).
You might want to reconsider whether you can use either container-managed
security with single sign on support, as described above, or combine all
your logically separate applciations into one context (from the point of
view of the servlet container).

> Larry

Craig McClanahan

See you at ApacheCon Europe <>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

View raw message