Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 79499 invoked from network); 30 Sep 2002 16:54:24 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 30 Sep 2002 16:54:24 -0000 Received: (qmail 29612 invoked by uid 97); 30 Sep 2002 16:54:46 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 29589 invoked by uid 97); 30 Sep 2002 16:54:45 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 29567 invoked by uid 98); 30 Sep 2002 16:54:45 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Date: Mon, 30 Sep 2002 12:53:54 -0400 (EDT) From: To: Tomcat Users List Subject: Re: filter to change jsessionid cookie almost done, but need little help In-Reply-To: <20020929171223.M18303-100000@icarus.apache.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N The Tomcat sso solution only allows sso between applications in a single container. My sso solution allows sso across multiple jvm's in different hosts in the same domain, as well as the SSO for the single JVM. The SSO for tomcat is quite limited. I agree that the jsessionid is part of the spec, we agree with all specs, right? But we can have cookie name collisions if you try to raise the scope/domain of the jsessionid cookie. My original problem is that I am not able to intercept the setting of the jsessionid cookie in my filter. Can you provide any guidance on how I may intercept this event? Thanks! Phillip On Sun, 29 Sep 2002, Craig R. McClanahan wrote: > > > On Sat, 28 Sep 2002, Phillip Rhodes wrote: > > > Date: Sat, 28 Sep 2002 13:51:18 -0400 > > From: Phillip Rhodes > > Reply-To: Tomcat Users List > > To: tomcat-user@jakarta.apache.org > > Subject: filter to change jsessionid cookie almost done, > > but need little help > > > > I am writing a package that will facilitate sso between java based > > applications that will be released open source and free. > > > > You might also consider just using the single sign on support provided by > your container. For Tomcat 4, see the documentation at: > > http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html > > and scroll down to the section entitled "Single Sign On". > > > Part of the problem is that the tomcat cookie name is NOT at all > > configurable. > > When jsessionid is set, the host of the domain is present, the scope is set > > to the webapp, etc... > > > > The cookie name is standardized by the servlet spec -- there is no reason > to make it configurable. > > > I wrote a filter that reads the jsessionid and change the scope and domain > > that it can be read by any application in that domain. > > My problem is that in the first request in my filter (and to the app), the > > cookie may not be set. > > No problem (or so i thought!) . I created a HttpResponseWrapper and > > HttpRequestWrapper and pass that onto the filter chain. > > When someone calls addCookie on the response (my wrapper) , I put in in my > > requestwrapper, so I can read cookies that are set in the present > > request/response. > > After I do the filter.doChain method, I again check for the jsessionid > > cookie. It's not set in the HttpRequestWrapper that I passed onto the > > chain, but I DO know it's being set by the time my browser gets it. > > > > IMHO, you are following the wrong strategy. It's perfectly reasonable to > support single sign on across apps that have independent sessions (and > even apps that don't involve sessions at all). The Tomcat implementation > accomplishes SSO with a separate cookie. > > Craig > > > -- > To unsubscribe, e-mail: > For additional commands, e-mail: > > -- To unsubscribe, e-mail: For additional commands, e-mail: