tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: HyperLink Office connection
Date Wed, 09 Jun 2010 09:52:11 GMT wrote:
> Hi,
> I have a webapp (Spring+Hibernate) running on Tomcat 5.5.15. Tomcat is configured for
Single-Sign-On and it works fine with the login system of the application (typical login/password).
> Anyway at the moment it's not well working when an external link is executed from a Word
file (Microsoft Office 2003/2007 - more info here:
> Basically when the link requires a protected page, normally the user is redirected to
the login page and, after a successful login, the page should be displayed. But it happens
only if the user Copy&Paste the link on the browser URL bar. Instead, if he clicks on
the Word file after the login, he is redirected to the default home page.
> I debugged the application, browser cookies and http sessions and it looks like another
session is created:
> 1) when the link is sent ("200") to the application
> 2) it returns "302" http status and JSESSIONID (strangely this value is always the same)
> 2) Word requires connection again ("200")
> 3) A new JSESSIONID cookie is created differently from the 1) and returns "200"
> the changed session of course cause of the application fails the redirection after login.
> How can I configure Tomcat to make it work with this kind of connection and keeping on
work with the usual login via browser?
Without really digging deep into it, my first impression is that this 
will not work, for the following reason :
Your Word instance is a different process than the browser, and it makes 
its own connection to the server, distinct from the connection the 
browser makes.  The server "senses" this, and creates a new session.
Or else (but similar in the effect), to retrieve this document, Word 
calls the browser with this URL, and the browser makes a new connection 
to the server to retrieve it.

You could try forcing Tomcat to not use cookies, and put the session-id 
in the URL (I forget how to do this, but someone here knows and will 
tell us).

But even so, I think that the whole scheme is rather flaky, because its 
behaviour will be unstable in front of the various combinations of 
workstations and browsers, and how they handle this.

If you describe the application a bit more in detail, someone here might 
be able to suggest a scheme that works better.
For example, you mention Microsoft Office. Does that mean that all your 
potential users are going to be accessing this from Windows 
workstations, all of them logged-in in a Windows domain, and that your 
server is also in that Windows domain ?
And are the Word document static documents, or are they being generated 
on-the-fly for this one logged-in user ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message