Hello -
I am building a web application that needs to transfer the user to a secure
server to enter credit card information. The problem I've run into with
servlets/JSP is that you can't pass session information to another server
and back again because it violates security rules. So, I thought I would
write a servlet that uses RMI to grab a session from the initiating server.
It had a single method:
getRemoteSession(String sessionID) that would return an HttpSession based
on the ID that was passed to it.
That would have been fine until I realized that the
HttpSessionContext.getSession(String id) has been completely deprecated and
will not be replaced (again because of security rules) so now I have no way
of getting a session from the remote server. My question is, how does
anyone build a useful ecommerce system if all servlet engines make it
impossible to move between servers. Certainly the designers of JSDK must
have thought about moving between servers like this while retaining state.
Is there any way to do this using the JSDK 2.1/JSP 1.0 API's without writing
a ton of code? I know the app servers out there must do this or else they
wouldn't be able to support load balancing. I think Apache JServ allows
you to get information from any other maching running JServ but
unfortunately it doesn't let you use the JSDK2.1 api which I need to be able
to use beans for business logic and JSP for display. (i.e, no
RequestDispatcher in the JSDK 2.0).
Also, in regards to the security issues, wouldn't it be better to leave
something like HttpSessionContext.getSession(String id) in the API and
require the use of the SecurityManager classes to use it instead of just
deprecating it?
Thanks for any help with this and I apologize for such a long post.
Mike
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
