tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raimee <>
Subject Re: Sharing sessions across contexts?
Date Sat, 07 Oct 2000 01:03:19 GMT
Sorry for budding in Lawrence. But you have brought up a problem I am
having and Craig has offered some interesting solutions.

> As long as all these servlets run in a single webapp, you would not have
> any problems using session based security.
> What you are describing is somewhat similar to the "single sign on" support
> that was just added to Tomcat 4.0.  It relies on webapps that use the
> container-managed security features of the servlet 2.2/2.3 APIs, and works
> like this:  the first time the user tries to access a URI protected by a
> security constraint, the user must log in according to the login
> configuration of that webapp.  However, their user identity is propogated
> across all the webapps of this virtual host so the user won't be challenged
> to log in to each webapp individually.

When you say the user id is propogated accross all webapps, I infer that
it should be availible to a servlet in any context. Though, I'm not certain how

a servlet would obtain it; if it can't be bound to a session. Now, when you say
servlets running in different contexts can be 'combined' into a single context
from the point of view of the servlet container - you've lost me. Am I to infer

that a Webapp can span multiple contexts? How is this achieved? Obviously
I don't know anything about Ant. And that's probably where I am going to
look next.

However, I have essentially an identicle problem: I require 'single sign on'
support for two seperate webapps, and I must be able to access the userId
from servlets in either context, once again, I'm not sure how that is achieved.

I have the added requirement of binding database connections to sessions in
each context. The sessions can be created and then destroyed when the user
changes contexts, but I must be able to bind new db connections once the
sessions are re-established.

> Doing this with application-managed security is probably going to require
> you to write customized interceptors (Tomcat 3.x) or valves (Tomcat 4.x).
> You might want to reconsider whether you can use either container-managed
> security with single sign on support, as described above, or combine all
> your logically separate applciations into one context (from the point of
> view of the servlet container).

> >
> > Larry
> >

I have been handling authentication within my servlets. I am forced to
use a single context for each app since I am managing user information
with the session tracking api. Although I have been having problems
here with one app that happens to be an applet. I have had problems
with null sessions and strange browser behaviour affecting my applet.

It seems that it's time to upgrade to Tomcat 4.x. Last time I checked
however the DBRealm feature was tagged as Experimental. An
attractive feature that would integrate nicely esspetially for the single sign
on requirement.


View raw message