Thanks Christopher, I believe this was working by the time of Tomcat 4.. but not completely sure, it was a long time ago :)
2015-03-30 16:14 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Aurélien, > > On 3/30/15 4:24 AM, Aurélien Terrestris wrote: >>> If you write a Valve (which would be Tomcat-specific, and not >>> work under other servlet containers), you could change the way >>> Tomcat reads session identifiers from the request (and use a >>> request parameter instead of a path parameter). >> >> Maybe could you also have a look on Filters since they're made for >> modifying the request before it reaches the servlet (or modifying >> the response after it leaves the servlet) : >> >> http://www.oracle.com/technetwork/java/filters-137243.html > > This won't work well with Tomcat's authorization checks, since they > occur before the filter chain in invoked. > > - -chris > >> 2015-03-30 9:57 GMT+02:00 Wesley Acheson >> <wesley.ache...@gmail.com>: >>> On Mon, Mar 30, 2015 at 2:17 AM, Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >> Wesley, >> >> On 3/29/15 1:15 PM, Wesley Acheson wrote: >>>>>> A team I am working with use tomcat 7 as their web >>>>>> container. The application cannot use url session tracking >>>>>> due to compliance reasons. >>>>>> >>>>>> One of the requirements we are facing is that the >>>>>> application should work in an iframe on the safari web >>>>>> browser, which blocks all cookies. >> >> Do you mean that Safari has been configured to block all cookies? >> Because Safari won't block cookies just because you are using an >> <iframe >>>>>> . >> >>>> >>>> Should have said its a third party domain name. That can't >>>> change easily. Should have wrote Safari blocks all third party >>>> cookies. >>>> >>>> >> >>>> >> For this purpose I'd like to post some value around that acts as a >>>>>> session Id. However I'm not sure if this is possible? >> >> If you write a Valve (which would be Tomcat-specific, and not work >> under other servlet containers), you could change the way Tomcat >> reads session identifiers from the request (and use a request >> parameter instead of a path parameter). >> >>>> >>>> I understand that the solution at the moment would be container >>>> specific. >>>> >>>> >> >> Or you could handle session-management yourself and not use >> servlet-spec-style session-tracking (which would be WAY more >> invasive to your application). >> >>>> >>>> In the longer term this is probably better. For the immediate >>>> term I just need the lease invasive approach for the >>>> application. >>>> >>>> >> >>>>>> *I'm aware that this won't work for common paradigms such >>>>>> as POST-REDIRECT-GET.* >>>>>> >>>>>> Looking at CoyoteAdaptor.java seems to suggest that session >>>>>> Id can only be retrieved using SSL COOKIE and URL. >>>>>> >>>>>> COOKIE is out because of third party issues. URL is out >>>>>> because of compliance. SSL may be a possiblity but only if >>>>>> it doesn't involve custom client certificates. >>>>>> >>>>>> Is there any good place to hook in a post parameter for >>>>>> retrieving and reattaching the session? >> >> I've not done this before. CoyoteAdapter calls >> request.setRequestedSessionId in a few places, and I don't believe >> CoyoteAdapter can be overridden or replaced directly. >> >> If you had a Valve that ran before anything else, you might be able >> to capture the request, read a request parameter, and then call >> setRequestedSessionId yourself with that replacement value. >> >>>> >>>> Thanks very much I'm going to read up on valves now. >>>> >> >> YMMV >> >> -chris >>>> >>>> -------------------------------------------------------------------- > - - >>>> >>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >> >> --------------------------------------------------------------------- >> >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVGVpSAAoJEBzwKT+lPKRY1jkP/0Onuep4c7wOO1UeLB8zeuFc > ZOWf7YXhGpzxufTLJAsBrxtZpM/2EOu1Ht1MXjEFaQiSCqnpUsK9m9SnCg98uajw > terP6eKGiOO5cIg4+oR6mAdxsDYWNNg+Ksdk1ZUauKKxX3UmKWDNhCLazVUtqSJW > qIocqskAYH3VIqhxLbtEyQIGnyy7KQFRFwSS/gQj2aUsklX85+6UNuVZzbGgo6MK > q3VcEhOyUYuuvQB78+DP+D1iiYNP1NAyqRtjkBZYilb34LegQvU0jIunvKUzvFqJ > w6GLeXqVscVV9wdD9RYf/iIt9K63k+f2xZ+82gNN9IcknNW5o0hMFa+tdHSnjzEk > X4kSmrw/e5RBX1yXeD16kadrZfwXsgIXFj9b4ELPaT/Z28ED0vb7GEh3QGC0Q36J > X5hAPlZo+G5iXJb7xk8G0QTle3lgWuzeUMYqbIZepUkpvpkjVPqk5w+SkuqLWfzt > IoWfL1aIAv8EgA5vS+sQ6ADsT1yYRLzm/n3R2sGnE5Rk8uNDV8C5cqfC7489mUnh > SFJrKhnmcW2Jc84Vq+I3ZjAkneN3uBS6lOrX/VuuV3BT4zTOS3Ak/v7yJZ4r22RN > qCvceHciuAnNKkUb33jZYwY2eZBfzb3myyjx6guHXQgXZZbzVX7PESDenujrT2FO > BoEwFR4BfjOxSrzyoa43 > =G7fj > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
