On 4/6/11 7:52 PM, Christopher Schultz wrote:
> Sergio,
>
> On 4/5/2011 9:03 AM, Sergio wrote:
>> We have an environment where there will be several instance of the same
>> webapp running on tomcat (sharing libraries when possible), each
>> connecting to different database. My idea is to have a webapp dedicated
>> to login, once the user login I would redirect him to the webapp of his
>> company (another context, user in the database is associated with
>> company).
>
> That sounds like a security problem waiting to happen: users can
> authenticate to the login webapp and then have free access to any
> company's webapp based just upon URL?
>
>> Something like this:
>
>> http://webapp.strategos.net/ (WebappLogin context on tomcat)
>> http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat)
>> http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat)
>
>> Is it possible to redirect browser to different context and share http
>> session that was created in the login context?
>
> HttpServletResponse.sentRedirect should always work. You just need to
> make sure that the session will be shared. Read the Tomcat documentation
> on SSO for more information.
>
>> I'm not using tomcat
>> authentication, the whole authentication process is done by our webapp
>> (if required we can change this).
>
> I don't believe Tomcat's SSO can work unless you are using Tomcat's
> authentication.
Correct.
If you're using custom auth, you may be able to implement externalised
SSO. There are a number of 3rd party projects that provide this
functionality, which is far more sensible that writing your own from
scratch.
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|