resend...first one didn't catch.
-----Original Message----- From: The elephantwalker [mailto:[EMAIL PROTECTED]] Sent: Friday, February 01, 2002 11:17 AM To: Orion-Interest; [EMAIL PROTECTED] Subject: RE: Sharing session across web apps >From my post on oracle otn: Session data is not shared between web applications. User data is definantly important to share between applications. The single-sign-on security option in 9i AS is an example of this. But that's kindof a black box. If you use single-sign-on, then simply getting the remote user from the request in your servlet can be used as a key to get user data from your persistance layer (ejb's or jdbc or even jms). If you don't want to use single-sign-on, you can use a filter. There's some url prestidigitation, but otherwise this approach is pretty simple: 1. Protect access to all of your web-app's urls with some naming convention /webappname/secure*. However, don't use these urls in any web page. All servlets and jsps you use should map names beginning with "secure". 2. Filter all access to your webapp (this is a new feature in servlet spec 2.3). Within the filter, use the session id as a key to find out if the user is already login to any other web application. You will need a stateless session bean to do this. The doFilter would be something like this: SecurityBean securitybean = Utilities.getSecurityBean(); HttpSession session = request.getSession(true); if (session.getAttribute("myuserdata") == null){ UserData userdata = securitybean.getUserdata(sessionid); if(userdata != null) session.setAttribute("myuserdata",userdata); } ... now forward the request to the "secure*" url in the filter. If the user was logged in with the slsb securitybean, then your web app will have all of your user data. If the user is not logged in by the securitybean, then the login prompt established in your web.xml will pop-up. The only extra work is to have a slsb securitybean. This can use the RoleManager in orion or it can use the jaas implementation in oc4j to log the user in, using the sessionid to get the username. The shared="true" attribute should be used for all application in the *-web-site.xml, so that the sessionid's are the same. regards, the elephantwalker www.elephantwalker.com .ps I you don't want to use the session id, you can use another more secure time dependent MD5 hash key which would be in a cookie or url tag. But then this would be the single-sign-on application ;). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Nimmons, Buster Sent: Friday, February 01, 2002 6:34 AM To: Orion-Interest Subject: Sharing session across web apps I have one web-app which gathers a users information and place a userInfo object in the session. I set the sharing attribute for this and all other apps to true yet when I go to another webapp from this one the objects in the session are no longer there. the session ID between apps is the same but the creation time and attributes are different. Has anyone succesfully configured webapps to share sessions