tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Session sharing between context
Date Wed, 06 Apr 2011 18:52:51 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sergio,

On 4/5/2011 9:03 AM, Sergio wrote:
> We have an environment where there will be several instance of the same
> webapp running on tomcat (sharing libraries when possible), each
> connecting to different database. My idea is to have a webapp dedicated
> to login, once the user login I would redirect him to the webapp of his
> company (another context, user in the database is associated with
> company).

That sounds like a security problem waiting to happen: users can
authenticate to the login webapp and then have free access to any
company's webapp based just upon URL?

> Something like this:
> 
> http://webapp.strategos.net/ (WebappLogin context on tomcat)
> http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat)
> http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat)
> 
> Is it possible to redirect browser to different context and share http
> session that was created in the login context?

HttpServletResponse.sentRedirect should always work. You just need to
make sure that the session will be shared. Read the Tomcat documentation
on SSO for more information.

> I'm not using tomcat
> authentication, the whole authentication process is done by our webapp
> (if required we can change this).

I don't believe Tomcat's SSO can work unless you are using Tomcat's
authentication.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2ctoMACgkQ9CaO5/Lv0PDRAwCghNzyig1d8cE6lSQuNs3ij1lD
6GsAoLoFQNLIzdnq2/sQ3FF52jewndXG
=aTIx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message