Hi,
With the current code (TC 4.1.6), the single signon does not work with the
loadbalancer connector.
If a user was logged in a given webapp, the loadbalancer looks at the
JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
tomcat where the user was logged on. But if the user hits another webapp,
the JSESSIONID is not present anymore and the dispatcher applies its
round-robin logic to dispatch the request to any tomcat. It nullifies the
effect of the single signon. There is two problem that prevent it to work.
1. On the Tomcat side, the generateSessionId() method of
org.apache.catalina.authenticator.AuthenticatorBase does not append
the jvmRoute of the Engine if one is specified. So when a user changes
webapp, the web connector dispatcher does not have any information to
properly route the request;
2. The current loadbalancer code specifically look for the JSESSIONID cookie
and does not look for a JSESSIONIDSSO cookie.
I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
to add the jvmRoute to the session id; in fact it is a copy of the code from
org.apache.catalina.session.ManagerBase.
The change in:
./jk/native/common/jk_lb_worker.c
./jk/native2/common/jk_requtil.c
is also trivial, first the connector must look for the JSESSIONID cookie (or
param), and if not found it should look for the JSESSIONIDSSO cookie (or
param). Then the same logic should be applied if either one is found.
Comments?
--
Denis Benoit
[EMAIL PROTECTED]
Tél: (514)879-5168
**********************************************************************
Financière Banque Nationale et NBCN n'assument
aucune responsabilité quant à la confidentialité et l'intégrité du
présent courriel en raison des risques d'interception inhérents à l'Internet.
Pour cette raison, toute opinion exprimée au terme des présentes
ne reflète pas nécessairement celle de Financière Banque Nationale
et de NBCN.
**********************************************************************
Due to the security risks involved in sending information over the
Internet, National Bank Financial and NBCN cannot
be held responsible for ensuring the confidentiality and integrity
of the present e-mail. For this reason, the opinions expressed herein
do not necessarily reflect those of National Bank Financial
and NBCN.
**********************************************************************
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
