tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: Session sharing between context
Date Thu, 07 Apr 2011 10:50:23 GMT
On 4/6/11 7:52 PM, Christopher Schultz wrote:
> Sergio,
> 
> On 4/5/2011 9:03 AM, Sergio wrote:
>> We have an environment where there will be several instance of the same
>> webapp running on tomcat (sharing libraries when possible), each
>> connecting to different database. My idea is to have a webapp dedicated
>> to login, once the user login I would redirect him to the webapp of his
>> company (another context, user in the database is associated with
>> company).
> 
> That sounds like a security problem waiting to happen: users can
> authenticate to the login webapp and then have free access to any
> company's webapp based just upon URL?
> 
>> Something like this:
> 
>> http://webapp.strategos.net/ (WebappLogin context on tomcat)
>> http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat)
>> http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat)
> 
>> Is it possible to redirect browser to different context and share http
>> session that was created in the login context?
> 
> HttpServletResponse.sentRedirect should always work. You just need to
> make sure that the session will be shared. Read the Tomcat documentation
> on SSO for more information.
> 
>> I'm not using tomcat
>> authentication, the whole authentication process is done by our webapp
>> (if required we can change this).
> 
> I don't believe Tomcat's SSO can work unless you are using Tomcat's
> authentication.

Correct.

If you're using custom auth, you may be able to implement externalised
SSO.  There are a number of 3rd party projects that provide this
functionality, which is far more sensible that writing your own from
scratch.


p

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




Mime
View raw message