tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <>
Subject Re: Session sharing between context
Date Thu, 07 Apr 2011 10:50:23 GMT
On 4/6/11 7:52 PM, Christopher Schultz wrote:
> Sergio,
> On 4/5/2011 9:03 AM, Sergio wrote:
>> We have an environment where there will be several instance of the same
>> webapp running on tomcat (sharing libraries when possible), each
>> connecting to different database. My idea is to have a webapp dedicated
>> to login, once the user login I would redirect him to the webapp of his
>> company (another context, user in the database is associated with
>> company).
> That sounds like a security problem waiting to happen: users can
> authenticate to the login webapp and then have free access to any
> company's webapp based just upon URL?
>> Something like this:
>> (WebappLogin context on tomcat)
>> (WebappCompany1 context on tomcat)
>> (WebappCompany2 context on tomcat)
>> Is it possible to redirect browser to different context and share http
>> session that was created in the login context?
> HttpServletResponse.sentRedirect should always work. You just need to
> make sure that the session will be shared. Read the Tomcat documentation
> on SSO for more information.
>> I'm not using tomcat
>> authentication, the whole authentication process is done by our webapp
>> (if required we can change this).
> I don't believe Tomcat's SSO can work unless you are using Tomcat's
> authentication.


If you're using custom auth, you may be able to implement externalised
SSO.  There are a number of 3rd party projects that provide this
functionality, which is far more sensible that writing your own from


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message