You need to be on tomcat 5.5 for the session scoping to work correctly.
There was a bug in previous versions of tomcat with regards to
cross-context dispatching.
-Eric
Aaron Evans wrote:
Santiago Gala <sgala <at> apache.org> writes:
Re: your authentication&authorization problem, the session and the
request are shared if the servlet and the portlet are in the same
webapp, so you have basically all you need.
Unfortunately, this does not seem to be the case. At least with Jetspeed2
anyway. Essentially, I believe that when you access a portlet of webapp X
through jetspeed's webapp Y, then you are somehow kept in the scope of Y's
class loader. When you by-pass the portal and access a servlet/JSP URI of
webapp X directly, your session from webapp Y is not available. I'll have to
do some tests to verify this for sure, but so far, that seems to be how it
works for jetspeed at least.
However, the light at the end of the tunnel is using tomcat's SSO mechanism
to establish a container level session that will share your security principal
and roles. I just have to figure out how to get that working with jetspeeds
security setup. You still would not have access to session scoped objects
created though, but that's not such a big deal as you could reload them in
webapp X.
Note that it is always the case in tomcat, even with SSO, that session
scoped attributes in context A are not available to context B (as it should be).
