Some background first: I made a lot of changes to the Authenticator test
classes some time ago. That led to changes to some of the Authenticator
classes. The test classes are basically in pairs - "with" and "without" SSO.
I decided to revisit the entire test suite, trying to make them more
self-consistent and self-documenting. I hoped to remove redundant tests
and perhaps add some missing edge cases at the same time.
I started work on TestSSOnonLoginAndBasicAuthenticator and found a test
that ended successfully, but for the wrong reason! (I take the blame.)
As I changed the test to do what it claimed, I discovered that
org.apache.catalina.connector.Response.encodeURL (implements
javax.servlet.http.HttpServletResponse) has logic to add the session ID
to the url in the jsessionid parameter, but there is nothing to add the
SSO session ID.
I decided to RTFM... Single Signon is described briefly in the Servlet
Spec, but is not defined. Tomcat implements SSO as a Valve. It is
described in the tomcat docs Reference section,
docs/config/host.html#Single Sign On
... which has six bullet points, the last of which says:
"The Single Sign On feature utilizes HTTP cookies to transmit a token
that associates each request with the saved user identity, so it can
only be utilized in client environments that support cookies."
I had always thought encoded url's were equally acceptable, but I was
mistaken. The documentation is clear and consistent with the implementation.
I need to fix my faulty unit test(s), but before I do any work I would
like to ask whether the restriction "SSO is only available to clients
that accept cookies" is reasonable and necessary. My initial thought is
that it wouldn't be too hard to support SSO within encodeURL (the real
work is done in Response.toEncoded).
WDYT?
Regards,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org