tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <rhode...@telerama.com>
Subject Re: filter to change jsessionid cookie almost done, but need little help
Date Mon, 30 Sep 2002 16:53:54 GMT

The Tomcat sso solution only allows sso between applications in a single
container.  My sso solution allows sso across multiple jvm's in
different hosts in the same domain, as well as the SSO for the single JVM.

The SSO for tomcat is quite limited.

I agree that the jsessionid is part of the spec, we agree with all specs,
right?  But we can have cookie name collisions if you try to raise the
scope/domain of the jsessionid cookie.  

My original problem is that I am not able to intercept the setting of the
jsessionid cookie in my filter.  Can you provide any guidance on how I may
intercept this event?

Thanks!
Phillip

On Sun, 29 Sep 2002, Craig R. McClanahan wrote:

> 
> 
> On Sat, 28 Sep 2002, Phillip Rhodes wrote:
> 
> > Date: Sat, 28 Sep 2002 13:51:18 -0400
> > From: Phillip Rhodes <rhodespc@telerama.com>
> > Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > To: tomcat-user@jakarta.apache.org
> > Subject: filter to change jsessionid cookie almost done,
> >      but need  little help
> >
> > I am writing a package that will facilitate sso between java based
> > applications that will be released open source and free.
> >
> 
> You might also consider just using the single sign on support provided by
> your container.  For Tomcat 4, see the documentation at:
> 
>   http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html
> 
> and scroll down to the section entitled "Single Sign On".
> 
> > Part of the problem is that the tomcat cookie name is NOT at all
> > configurable.
> > When jsessionid is set, the host of the domain is present, the scope is set
> > to the webapp, etc...
> >
> 
> The cookie name is standardized by the servlet spec -- there is no reason
> to make it configurable.
> 
> > I wrote a filter that reads the jsessionid and change the scope and domain
> > that it can be read by any application in that domain.
> > My problem is that in the first request in my filter (and to the app), the
> > cookie may not be set.
> > No problem (or so i thought!) .  I created a HttpResponseWrapper and
> > HttpRequestWrapper and pass that onto the filter chain.
> > When someone calls addCookie on the response (my wrapper) , I put in in my
> > requestwrapper, so I can read cookies that are set in the present
> > request/response.
> > After I do the filter.doChain method, I again check for the jsessionid
> > cookie.  It's not set in the HttpRequestWrapper that I passed onto the
> > chain, but I DO know it's being set by the time my browser gets it.
> >
> 
> IMHO, you are following the wrong strategy.  It's perfectly reasonable to
> support single sign on across apps that have independent sessions (and
> even apps that don't involve sessions at all).  The Tomcat implementation
> accomplishes SSO with a separate cookie.
> 
> Craig
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message