Hi Rainer. > > It seems Shiro recommend to extend > > https://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java >
>From code review (I may be wrong), it seems Nexus is extending org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter https://github.com/sonatype/nexus-oss/blob/master/plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/security/filter/authc/NexusHttpAuthenticationFilter.java > in order to add the needed suffix to a new id when creating a session > cookie and to subtract it before forwarding the id to the shiro internals. > > Some of the things you need are already implemented in recent mod_jk: > > Strategy 1: > > You can let mod_jk know about using another cookie by setting the worker > load balancer attribute "session_cookie" e.g. to "mycookie". You might > also want to change session_path to something non-standard such that an > occasional path encoding with the busted session id doesn't interfere > with mod_jk. > > See "session_cookie" and "session_path" in > http://tomcat.apache.org/connectors-doc/reference/workers.html. Yep, but Tomcat or HTTPd/mod_jk should set this cookie instead of JSESSIONID isn't it ? > Strategy 2: > > Directly set the route with Apache means into the Apache environment > variable JK_ROUTE. See "JK_ROUTE" in > http://tomcat.apache.org/connectors-doc/reference/apache.html. > > The problem is how to set the cookie. You could do it using a servlet > filter on the Tomcat side. Such a simple filter could be added to the > webapp, without the need of changing the webapp sources. The filter is > independent and would just be added to web.xml and the WEB-INF/lib. Sadly I can't update Nexus installation or setup ;( > Letting mod_jk itself set the cookie could be a nice addition, because > it would be easy for it to do. It knows the correct route name, whether > the cookie was already received with the request and whether a failover > happened. Would be easy to add. The configuration would need to wire the > "HttpOnly" and "Secure" flags for the cookie. Yes and back to my initial question, about updating mod_jk so it could set and reuse its own cookie instead of substring of JSESSIONID :) HTTPd mod_proxy and mod_balancer did the same and it seems a smart alternative. What do you think ?