tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: session sharing
Date Wed, 21 Feb 2001 02:07:17 GMT
Shih Chang wrote:

> Hi! I am a new user of tomcat 3.2.1.
> Although in the servlet API document mentions that
> session object ties with the servletcontext, is there any
> way in the tomcat that different web apps can share one
> session information?


Even if you modified Tomcat's code to break this rule from the servlet
specification, you would quickly run into class loading problems.
Consider the following scenario:

* Web App #1 creates a session attribute using
  class Foo, which was loaded from the WEB-INF/classes
  of that app

* Web App #2 accesses this same session (through your
  changes to Tomcat) and tries to access this attribute.
  They will get a ClassNotFoundException, because the
  WEB-INF/classes directory of Web App #1 is not visible
  to the class loader for Web App #2.

> I think it is very common after a user login a web site, he/she
> can access different apps under the web site without
> logging in again.

This is something you can do without sharing sessions, as long as your
servlet container supports "single sign on".  Tomcat 3.2 does not do
this, but 4.0b1 does if you enable it.

The basic idea is that your user has free rein of all the apps on the web
site until they access a resource that is protected by a security
constraint.  Once they do, they are challenged for username and password,
and authenticated.  Now, the servlet container remembers that identity
across web apps, so they will not need to log on again.

> Clark

Craig McClanahan

View raw message