Re: Session sharing between context
On 4/6/11 7:52 PM, Christopher Schultz wrote: > Sergio, > > On 4/5/2011 9:03 AM, Sergio wrote: >> We have an environment where there will be several instance of the same >> webapp running on tomcat (sharing libraries when possible), each >> connecting to different database. My idea is to have a webapp dedicated >> to login, once the user login I would redirect him to the webapp of his >> company (another context, user in the database is associated with >> company). > > That sounds like a security problem waiting to happen: users can > authenticate to the login webapp and then have free access to any > company's webapp based just upon URL? > >> Something like this: > >> http://webapp.strategos.net/ (WebappLogin context on tomcat) >> http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat) >> http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat) > >> Is it possible to redirect browser to different context and share http >> session that was created in the login context? > > HttpServletResponse.sentRedirect should always work. You just need to > make sure that the session will be shared. Read the Tomcat documentation > on SSO for more information. > >> I'm not using tomcat >> authentication, the whole authentication process is done by our webapp >> (if required we can change this). > > I don't believe Tomcat's SSO can work unless you are using Tomcat's > authentication. Correct. If you're using custom auth, you may be able to implement externalised SSO. There are a number of 3rd party projects that provide this functionality, which is far more sensible that writing your own from scratch. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: Session sharing between context
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sergio, On 4/5/2011 9:03 AM, Sergio wrote: > We have an environment where there will be several instance of the same > webapp running on tomcat (sharing libraries when possible), each > connecting to different database. My idea is to have a webapp dedicated > to login, once the user login I would redirect him to the webapp of his > company (another context, user in the database is associated with > company). That sounds like a security problem waiting to happen: users can authenticate to the login webapp and then have free access to any company's webapp based just upon URL? > Something like this: > > http://webapp.strategos.net/ (WebappLogin context on tomcat) > http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat) > http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat) > > Is it possible to redirect browser to different context and share http > session that was created in the login context? HttpServletResponse.sentRedirect should always work. You just need to make sure that the session will be shared. Read the Tomcat documentation on SSO for more information. > I'm not using tomcat > authentication, the whole authentication process is done by our webapp > (if required we can change this). I don't believe Tomcat's SSO can work unless you are using Tomcat's authentication. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2ctoMACgkQ9CaO5/Lv0PDRAwCghNzyig1d8cE6lSQuNs3ij1lD 6GsAoLoFQNLIzdnq2/sQ3FF52jewndXG =aTIx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session sharing between context
Hi, Running with Java5, Tomcat5.5.33, Hibernate, MyFaces+tomahawk on Debian/Windows. We have an environment where there will be several instance of the same webapp running on tomcat (sharing libraries when possible), each connecting to different database. My idea is to have a webapp dedicated to login, once the user login I would redirect him to the webapp of his company (another context, user in the database is associated with company). Something like this: http://webapp.strategos.net/ (WebappLogin context on tomcat) http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat) http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat) Is it possible to redirect browser to different context and share http session that was created in the login context? I'm not using tomcat authentication, the whole authentication process is done by our webapp (if required we can change this). Thanks, Sergio - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org