Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Message-ID: <39DE965A.9F11E0EC@sympatico.ca>
Date: Fri, 06 Oct 2000 23:19:54 -0400
From: Raimee <raimee@sympatico.ca>
MIME-Version: 1.0
To: tomcat-user@jakarta.apache.org
Subject: Re: Sharing sessions across contexts?
References: <Pine.LNX.4.21.0010061846460.1102-100000@dynasty>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


> kenneth topp wrote:

> On Fri, 6 Oct 2000, Raimee wrote:

> > When you say the user id is propogated accross all webapps, I infer

> > that it should be availible to a servlet in any context. Though, I'm
> > not certain how
> >
> > a servlet would obtain it; if it can't be bound to a session. Now,
> > when you say that servlets running in different contexts can be
> > 'combined' into a single context - from the point of view of the
> > servlet container - you've lost me. Am I to infer
>
> yes, it likely uses basic authentication (the web browsers popup).  This
> is essential a politically correct cookie, that requires the users
> initial input. It also has the limitation of one URL host only.. it can

> be further restricted by a "realm" but you cannot use it two website urls:

>
>   my.example.com and www.example.com

That's all I am doing. My applet cycles through http headers for JSessionId,
sets the cookie request property for the next reuqest, and my servlets manages

site resources (database) accordingly. So if container managed authentication
can be levereged to provide session management - by allowing only valid users
at sign-on and throughtout the session/cookie MaxAge, then all that is left is
to
figure out why sessions are returned null by my applet.

?????
Does setting the setRequestProperty("Cookie",JSessionId) of the applets
servletConnection
object imply that a servlets call to reequest.getSession() will return
something other than null?
?????

Could Netscape be the culprit here?

> > that a Webapp can span multiple contexts? How is this achieved?

> > Obviously I don't know anything about Ant. And that's probably where I
> > am going to look next.
>
> ant?  oh, trying to dig into 4.x? heh.

It's the latest thing...

> > However, I have essentially an identicle problem: I require 'single
> > sign on' support for two seperate webapps, and I must be able to
> > access the userId from servlets in either context, once again, I'm not
> > sure how that is achieved.
>
> Perhaps some clarification should be made, are these separate webapps at
> different host urls?  if they are your only choice is interceptor/valve,
> and setting a cookie (that is if they are under the same example.com
> domain).  If they aren't you can still do it, but it would be more
> complex.
>

No I have a single domain and two contexts:

1host.1domain.com/context1/...webApp1 and
1host.1domain.com/context2/...webApp2

More complex than interceptors and valves? I wouldn't know. But it seems that
the complexity of tracking a userid with cookies is proportional to the
simplicity of
remembering ones own name.

> > It seems that it's time to upgrade to Tomcat 4.x. Last time I checked
> > however the DBRealm feature was tagged as Experimental. An attractive
> > feature that would integrate nicely esspetially for the single sign on
> > requirement.
>
> Yeah, but I don't think this technology is anything more then what apache
> can do for you with a more stable 3.x.  Then again, any custom
> authentication code wouldn't be java ;)

htdigest works very nicely when you don't require state in your application
but
as far as I can tell, fails when you do.

Hence the need for custom authentication and session management : not only
do you need to know someone is who they say they are at login, but every time
they ask for something you need to know, and you need a way to get stuff for
them based on who they are.

> Kenneth Topp
>
> >
> > Raimee
> >