tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Ruthenbeck <just...@nextengine.com>
Subject Re: Maintaining Sessions
Date Wed, 02 Jun 2004 23:54:55 GMT
At 04:22 PM 6/2/2004, you wrote:
>There is a web.xml file in my catalinahome/conf
>directory.  I have read that according to some
>specifications somewhere, I should also have a web.xml
>in every WEB-INF directory for each application.  Does
>the main web.xml file apply to all applications, and
>the WEB-INF web.xml just add settings to the specific
>applications, or does it OVERRIDE the main web.xml (so
>I would need to include ALL the entries found in the
>main file in ALL of the application level web.xml
>files)?

The app-specific web.xml extends the global one (information
defined in the app-specific one overrides the global one, but
any information not overridden is inherited).

>And what would an entry look like to force one
>specific file to re-direct to the secure port?  I can
>only find very vague examples that secure entire
>applications.

This is a Servlet spec thing -- see SRV.12.8 (Servlet2.3).

It's basically something like this in your web.xml (no
guarantees for code correctness here, but it should get you
started):

<security-constraint>
   <web-resource-collection>
     <url-pattern>/secure/*</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

>Thanks for the help thus far,
>
>Justin Jaynes

No problem.  Good luck.
justin




>--- Justin Ruthenbeck <justinr@nextengine.com> wrote:
> >
> > Hi,
> >
> > Square peg, round hole.
> >
> > It seems like the only reason you've split these
> > into multiple hosts is
> > to differentiate between secure and non-secure
> > communication -- that's a
> > bad idea.  From what you've said, the best approach
> > is to put all of the
> > JSPs for (A) and (C) in the same webapp, but set
> > <security-constraint>s
> > for those resources (C) that require https.
> >
> > See:
> >
>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
> >
> > What you're describing here is a deployment-time
> > problem -- it shouldn't
> > impact your code in a major way like distributed
> > sessions would cause.
> >
> > justin
> >
> >
> > At 02:56 PM 6/2/2004, you wrote:
> > >Hello,
> > >
> > >I am running Tomcat 5.0.25 on SuSE Linux 9.1.  I am
> > >running ONE Tomcat server with two services:
> > >
> > >1.  Standalone on port 80, with two hosts:
> > >     A.  A basic shopping site with a CartBean.java
> > >         that I set scope=session when I call it
> > from
> > >         JSP's.
> > >     B.  Another not related host.
> > >
> > >2.  Standalone SECURE on port 443, with two hosts:
> > >     C.  The secure checkout site for host A
> > (above)
> > >     B.  Another secure, but not related, host.
> > >
> > >My cart.jsp on host A uses checkout.jsp on host C
> > to
> > >process the request.  However, the session with
> > >CartBean objects does not carry over.  How do I
> > keep
> > >my session alive from host to host on the same
> > server?
> > >  And what if I decide to move the host C to
> > another
> > >server on another machine?  Then what?
> > >
> > >Or is this the wrong approach?  Is there a way to
> > have
> > >SOME secure jsp's on the same host as some
> > non-secure
> > >jsp's?
> > >
> > >And do I HAVE to have a WEB-INF directory for both
> > >hosts, or could they somehow share a WEB-INF
> > directory
> > >so I only have to maintain ONE set of classes?  I
> > >tried using symbolic-link WEB-INF's to one big
> > WEB-INF
> > >directory, but it did NOT work.
> > >
> > >Justin Jaynes
> > >
> > >
> > >
> > >
> > >__________________________________
> > >Do you Yahoo!?
> > >Friends.  Fun.  Try the all-new Yahoo! Messenger.
> > >http://messenger.yahoo.com/
> > >
> >
> >---------------------------------------------------------------------
> > >To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> >
> >
> > ______________________________________________
> > Justin Ruthenbeck
> > Software Engineer, NextEngine Inc.
> > justinr - AT - nextengine DOT com
> > Confidential. See:
> > http://www.nextengine.com/confidentiality.php
> > ______________________________________________
> >
> >
> >
>---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> >
>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Friends.  Fun.  Try the all-new Yahoo! Messenger.
>http://messenger.yahoo.com/
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


______________________________________________
Justin Ruthenbeck
Software Engineer, NextEngine Inc.
justinr - AT - nextengine DOT com
Confidential. See:
http://www.nextengine.com/confidentiality.php
______________________________________________


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message