tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Kee" <>
Subject RE: Sharing sessions across contexts?
Date Sat, 07 Oct 2000 01:21:24 GMT
I have the same kind of problem. Before I start changing my software
architecture to make use of other technologies to achieve the single sign on
behavior, I prefer to be able to do it within the servlet arena.

> -----Original Message-----
> From: Raimee []
> Sent: Friday, October 06, 2000 9:03 PM
> To:
> Subject: Re: Sharing sessions across contexts?
> Sorry for budding in Lawrence. But you have brought up a problem I am
> having and Craig has offered some interesting solutions.
> > As long as all these servlets run in a single webapp, you would not have
> > any problems using session based security.
> >
> > What you are describing is somewhat similar to the "single sign
> on" support
> > that was just added to Tomcat 4.0.  It relies on webapps that use the
> > container-managed security features of the servlet 2.2/2.3
> APIs, and works
> > like this:  the first time the user tries to access a URI protected by a
> > security constraint, the user must log in according to the login
> > configuration of that webapp.  However, their user identity is
> propogated
> > across all the webapps of this virtual host so the user won't
> be challenged
> > to log in to each webapp individually.
> When you say the user id is propogated accross all webapps, I infer that
> it should be availible to a servlet in any context. Though, I'm
> not certain how
> a servlet would obtain it; if it can't be bound to a session.
> Now, when you say
> that
> servlets running in different contexts can be 'combined' into a
> single context
> -
> from the point of view of the servlet container - you've lost me.
> Am I to infer
> that a Webapp can span multiple contexts? How is this achieved? Obviously
> I don't know anything about Ant. And that's probably where I am going to
> look next.
> However, I have essentially an identicle problem: I require
> 'single sign on'
> support for two seperate webapps, and I must be able to access the userId
> from servlets in either context, once again, I'm not sure how
> that is achieved.
> I have the added requirement of binding database connections to
> sessions in
> each context. The sessions can be created and then destroyed when the user
> changes contexts, but I must be able to bind new db connections once the
> sessions are re-established.
> > Doing this with application-managed security is probably going
> to require
> > you to write customized interceptors (Tomcat 3.x) or valves
> (Tomcat 4.x).
> > You might want to reconsider whether you can use either
> container-managed
> > security with single sign on support, as described above, or combine all
> > your logically separate applciations into one context (from the point of
> > view of the servlet container).
> > >
> > > Larry
> > >
> I have been handling authentication within my servlets. I am forced to
> use a single context for each app since I am managing user information
> with the session tracking api. Although I have been having problems
> here with one app that happens to be an applet. I have had problems
> with null sessions and strange browser behaviour affecting my applet.
> It seems that it's time to upgrade to Tomcat 4.x. Last time I checked
> however the DBRealm feature was tagged as Experimental. An
> attractive feature that would integrate nicely esspetially for
> the single sign
> on requirement.
> Raimee

View raw message