Isolating publication sessions

Wed, 15 Apr 2009 05:00:23 -0700 

Hi Lenya devs,
as you might be aware, Lenya's session management is quite unusual. Typically, web applications use a dedicated session per "authentication unit". E.g., usually you authenticate against a complete web application, and the application session reflects this authentication. 


In contrast to that, Lenya uses a single session for multiple 
"authentication units" (i.e., accreditable managers or, in other words, 
user bases). For instance, if publication A and publication B use 
different accreditable managers, you have to log in every time you 
switch between A and B in the same browser.



At best, this is annoying. But if you access a page in publication A 
which contains an image from publication B, you are actually logged out 
of A since the identity is reset when the request to publication B is 
processed.



IMO the only reasonable solution to this problem is to isolate the 
sessions for each accreditable manager and allow multiple parallel 
authenticated identities. The cleanest solution might be to use a 
dedicated servlet for each publication, but this would probably make the 
application deployment and management much more complicated. A simpler 
approach would be to use the accreditable manager ID as part of the 
session attribute name, e.g.:


  String accrMgrId = accreditableManager.getId();
  String key = Identity.class.getName() + "/" + accrMgrId;
  session.setAttribute(key, identity);


When a request is processed, only the identity for the corresponding 
accreditable manager is taken into account. This looks a bit strange, 
though – we're kind-of replicating the servlet engine's session 
management on the application level.


Do you think this makes sense? Or are there better solutions?

BTW, I filed a bug for this issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47023

-- Andreas



--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lenya.apache.org
For additional commands, e-mail: dev-h...@lenya.apache.org























					Reply via email to