Re: Suggestions for overlapping URI spaces

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bill,

Bill Barker wrote:
 Enabling the RequestDumper to see if the browser is actually sending the 
 path would help.

Does the browser ever send the path?

Using LiveHTTPHeaders, I observed the following:

A = C08
B = 375

1. Visited the root-deployed application; server responds with
   credential challenge along with Set-Cookie header (cookie A).
   Successful login, including client-sent cookie (path=/).
2. Visited the /foo application by attempting to access restricted
   resource. cookie A was presented by the client; 302 redirect to
   login page, including Set-Cookie (cookie B) header (path=/foo).
3. /foo Login page requested by client, including Cookie header
   containing JSESSIONID=[B]; JSESSIONID=[A].
4. Credentials submitted to /foo/j_security_check, including Cookie
   header containing B; A.

No paths were ever sent by the client.

Both applications appear to work in this scenario. App /foo continues to
work. Perhaps due to the cookie ordering in the Cookie header. I'll
clear the cookies repeat the process in the opposite ordering.

B = E61
A = 858

0. Clear cookies from the entire site.
1. Attempt to access protected page in /foo; 302 response + Set-Cookie
   header (path=/foo) cookie B.
2. /foo login page requested by client, including correct Cookie header.
3. Successful login; cookie is sent with all appropriate requests.
4. Request protected page in root-deployed application; no cookie sent
   by client. Server responds with Set-Cookie header (path=/) and 200
   response (no redirect for this app). This is Cookie A.
5. Submit login to /j_security_check; includes cookie A; successful
   login; cookie A is sent appropriately with all requests.
6. Re-load a protected page in /foo application; cookie header sent
   by client is in B; A order (same as last time).

Perhaps Mozilla Firefox is smart enough to order the cookies by
most-specific path. I happen to be using ff 2.0.0.6.

I have actually observed the improper behavior described in my OP in the
past, though I'm not sure if it was with ff 2.x or 1.5.x or even MSIE or
something else. I will have to investigate them separately.

 ATM, Tomcat simply assumes that the browser sends the 
 longest matching cookie (or at least sends the longest matching cookie 
 first) and doesn't send back the path.  If any significant browser is 
 sending the path back, then Tomcat could also pick the longest path cookie 
 as well.

Is that accurate? I haven't gone into the code myself (heh it's tough to
follow all the indirections in that stuff), but I wonder if TC actually
tries multiple cookies if they are presented. Like I said, I obviously
proved that access works appropriately in ff 2.0.0.6. Perhaps it is a
browser issue. Too bas the testing process is so tedious :(

 2. Change the session id cookie name in one of the apps (is this
   possible and/or recommended?)
 
 Not possible on TC without hacking the code.

That's what I thought. It's odd that the servlet spec demands that the
name of the cookie be JSESSIONID. I guess it's so that servlet
containers can be swapped-out more easily since the name of the cookie
won't change and disturb lb or other configuration, or filters and stuff
that might stupidly hard-code the cookie name (maybe that's not so
stupid...).

 3. Use SSO -- except that I currently deploy these two applications
   in separate Tomcat instances.
 4. Re-deploy the root webapp to /bar and forward / to /bar.
 
 The browser should reject the '/' cookie in this case, since the URL that it 
 sees doesn't start with '/bar'.

Of course. This is a sure-fire fix; it's just that it changes our URL
space and we need to be sensitive to our customers who expect to find
things under / instead of /bar.

Thanks for your thoughts, Bill.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGt1nu9CaO5/Lv0PARAkIgAJ40KCobl7lnTFE1rUs4t+SRMb+gLACfdDZD
EeGpEkgwlm40vSO1sEPc3tg=
=MhLD
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Suggestions for overlapping URI spaces

[Bill Barker]

Christopher Schultz [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Bill,

 Bill Barker wrote:
 Enabling the RequestDumper to see if the browser is actually sending the
 path would help.

 Does the browser ever send the path?


I've never seen one that did, and since TC sends the Session cookie as 
version 0, most browsers would likely assume that TC doesn't understand 
version 1 cookies.

 Using LiveHTTPHeaders, I observed the following:

 A = C08
 B = 375

 1. Visited the root-deployed application; server responds with
   credential challenge along with Set-Cookie header (cookie A).
   Successful login, including client-sent cookie (path=/).
 2. Visited the /foo application by attempting to access restricted
   resource. cookie A was presented by the client; 302 redirect to
   login page, including Set-Cookie (cookie B) header (path=/foo).
 3. /foo Login page requested by client, including Cookie header
   containing JSESSIONID=[B]; JSESSIONID=[A].
 4. Credentials submitted to /foo/j_security_check, including Cookie
   header containing B; A.

 No paths were ever sent by the client.

 Both applications appear to work in this scenario. App /foo continues to
 work. Perhaps due to the cookie ordering in the Cookie header. I'll
 clear the cookies repeat the process in the opposite ordering.

 B = E61
 A = 858

 0. Clear cookies from the entire site.
 1. Attempt to access protected page in /foo; 302 response + Set-Cookie
   header (path=/foo) cookie B.
 2. /foo login page requested by client, including correct Cookie header.
 3. Successful login; cookie is sent with all appropriate requests.
 4. Request protected page in root-deployed application; no cookie sent
   by client. Server responds with Set-Cookie header (path=/) and 200
   response (no redirect for this app). This is Cookie A.
 5. Submit login to /j_security_check; includes cookie A; successful
   login; cookie A is sent appropriately with all requests.
 6. Re-load a protected page in /foo application; cookie header sent
   by client is in B; A order (same as last time).

 Perhaps Mozilla Firefox is smart enough to order the cookies by
 most-specific path. I happen to be using ff 2.0.0.6.

 I have actually observed the improper behavior described in my OP in the
 past, though I'm not sure if it was with ff 2.x or 1.5.x or even MSIE or
 something else. I will have to investigate them separately.

 ATM, Tomcat simply assumes that the browser sends the
 longest matching cookie (or at least sends the longest matching cookie
 first) and doesn't send back the path.  If any significant browser is
 sending the path back, then Tomcat could also pick the longest path 
 cookie
 as well.

 Is that accurate? I haven't gone into the code myself (heh it's tough to
 follow all the indirections in that stuff), but I wonder if TC actually
 tries multiple cookies if they are presented. Like I said, I obviously
 proved that access works appropriately in ff 2.0.0.6. Perhaps it is a
 browser issue. Too bas the testing process is so tedious :(


The session cookie stuff is only in CoyoteAdapter.  It loops over the 
cookies, and sets the requestedSessionId on the Request to the first one 
that it finds (killing the one from ;jsessionid=, if sent).  For any other 
JSESSIONID cookie that it finds, it checks 
request.isRequestedSessionIdValid, and if not, sets the value to this 
cookie.  So assuming that the browser is sending longest-first, you could 
see what you claim if the /foo session timed out or was otherwise 
invalidated.

 2. Change the session id cookie name in one of the apps (is this
   possible and/or recommended?)

 Not possible on TC without hacking the code.

 That's what I thought. It's odd that the servlet spec demands that the
 name of the cookie be JSESSIONID. I guess it's so that servlet
 containers can be swapped-out more easily since the name of the cookie
 won't change and disturb lb or other configuration, or filters and stuff
 that might stupidly hard-code the cookie name (maybe that's not so
 stupid...).

 3. Use SSO -- except that I currently deploy these two applications
   in separate Tomcat instances.
 4. Re-deploy the root webapp to /bar and forward / to /bar.

 The browser should reject the '/' cookie in this case, since the URL 
 that it
 sees doesn't start with '/bar'.

 Of course. This is a sure-fire fix; it's just that it changes our URL
 space and we need to be sensitive to our customers who expect to find
 things under / instead of /bar.

 Thanks for your thoughts, Bill.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.7 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iD8DBQFGt1nu9CaO5/Lv0PARAkIgAJ40KCobl7lnTFE1rUs4t+SRMb+gLACfdDZD
 EeGpEkgwlm40vSO1sEPc3tg=
 =MhLD
 -END PGP SIGNATURE-

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To 

RE: Suggestions for overlapping URI spaces

[Peter Stavrinides]

To be honest I'm not sure how you are getting this right, its probably best to 
use separate namespaces though, then you can use URL rewriting to make them 
appear as one, this solution is really powerfull, we use it to integrate all 
our apps in our domain, we even integrate Java and Perl apps using Apache 
mod_rewrite, there is a similar module for tomcat called tuckey 
http://tuckey.org/urlrewrite/

Peter

-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: Fri 8/3/2007 8:16 PM
To: Tomcat Users List
Subject: Suggestions for overlapping URI spaces
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I have two applications deployed in production that share a URL space.
Actually, one is deployed as the root webapp, the the other one is at,
say, /foo.

My problem is that each webapp maintains its own session identifiers as
cookies. Since the session id cookie is always called JSESSIONID, a
visitor who uses both applications gets two cookies (one with /, and one
with /foo) with different JSESSIONID values. I'm guessing that Tomcat
doesn't try to pick the best one, since things get /really/ confusing
when this happens. Basically, our users get caught in a continuous
please-login - login - please-login - login loop. It appears that the
root JSESSIONID is being preferred over the more recent /foo one, which
is never read properly so the login can never happen.

Does anyone have any suggestions for how to fix this? Some obvious ideas
are:

1. Don't do that.
2. Change the session id cookie name in one of the apps (is this
   possible and/or recommended?)
3. Use SSO -- except that I currently deploy these two applications
   in separate Tomcat instances.
4. Re-deploy the root webapp to /bar and forward / to /bar.

I'm just looking for the right solution. Any comments or suggestions
would be appreciated.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGs38V9CaO5/Lv0PARApHzAKCqMrz2AntBJDAosgUkd5iBzBZVRwCglY2m
SlO68LvbodFxNLWIoObTorQ=
=KdXa
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Suggestions for overlapping URI spaces

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I have two applications deployed in production that share a URL space.
Actually, one is deployed as the root webapp, the the other one is at,
say, /foo.

My problem is that each webapp maintains its own session identifiers as
cookies. Since the session id cookie is always called JSESSIONID, a
visitor who uses both applications gets two cookies (one with /, and one
with /foo) with different JSESSIONID values. I'm guessing that Tomcat
doesn't try to pick the best one, since things get /really/ confusing
when this happens. Basically, our users get caught in a continuous
please-login - login - please-login - login loop. It appears that the
root JSESSIONID is being preferred over the more recent /foo one, which
is never read properly so the login can never happen.

Does anyone have any suggestions for how to fix this? Some obvious ideas
are:

1. Don't do that.
2. Change the session id cookie name in one of the apps (is this
   possible and/or recommended?)
3. Use SSO -- except that I currently deploy these two applications
   in separate Tomcat instances.
4. Re-deploy the root webapp to /bar and forward / to /bar.

I'm just looking for the right solution. Any comments or suggestions
would be appreciated.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGs38V9CaO5/Lv0PARApHzAKCqMrz2AntBJDAosgUkd5iBzBZVRwCglY2m
SlO68LvbodFxNLWIoObTorQ=
=KdXa
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Suggestions for overlapping URI spaces

[Bill Barker]

Christopher Schultz [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 All,

 I have two applications deployed in production that share a URL space.
 Actually, one is deployed as the root webapp, the the other one is at,
 say, /foo.

 My problem is that each webapp maintains its own session identifiers as
 cookies. Since the session id cookie is always called JSESSIONID, a
 visitor who uses both applications gets two cookies (one with /, and one
 with /foo) with different JSESSIONID values. I'm guessing that Tomcat
 doesn't try to pick the best one, since things get /really/ confusing
 when this happens. Basically, our users get caught in a continuous
 please-login - login - please-login - login loop. It appears that the
 root JSESSIONID is being preferred over the more recent /foo one, which
 is never read properly so the login can never happen.

 Does anyone have any suggestions for how to fix this? Some obvious ideas
 are:


Enabling the RequestDumper to see if the browser is actually sending the 
path would help.  ATM, Tomcat simply assumes that the browser sends the 
longest matching cookie (or at least sends the longest matching cookie 
first) and doesn't send back the path.  If any significant browser is 
sending the path back, then Tomcat could also pick the longest path cookie 
as well.

 1. Don't do that.
 2. Change the session id cookie name in one of the apps (is this
   possible and/or recommended?)

Not possible on TC without hacking the code.

 3. Use SSO -- except that I currently deploy these two applications
   in separate Tomcat instances.
 4. Re-deploy the root webapp to /bar and forward / to /bar.

The browser should reject the '/' cookie in this case, since the URL that it 
sees doesn't start with '/bar'.


 I'm just looking for the right solution. Any comments or suggestions
 would be appreciated.

 Thanks,
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.7 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iD8DBQFGs38V9CaO5/Lv0PARApHzAKCqMrz2AntBJDAosgUkd5iBzBZVRwCglY2m
 SlO68LvbodFxNLWIoObTorQ=
 =KdXa
 -END PGP SIGNATURE-

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]