Would this new solution be compatible with URL rewriting? (No cookies being used)
[EMAIL PROTECTED] wrote: > On Mon, 8 Jul 2002, Denis Benoit wrote: > > >>I think it would be difficult, since JSESSIONID is distinct for each >>webapp on a Tomcat, only JSESSIONIDSSO (if the SingleSignon valve >>is activated) is common to all webapps. >> >>I'll try to think of something, but if you think of something first, >>let me know :) > > > Well, my thinking is that in order to have 'single signon' you need > a way to have a single cookie ( or path param if cookies are disabled ) > across all webapps. Whatever mean to get that as JSESSIONIDSSO, > it can be used for JSESSIONID as well. > > So I would add a hook into the session id generator - and have > the single signon use the hook to push session ids. > > If we want to have distinct sessions in each webapp - the session > id would consist of the 'common' part and a per-webapp part. > > In general, my view of single signon is that each app must > redirect to an auth application ( similar with kerberos for example) > and use the certificate as session id for all webapps. > > Costin > > > >>On Mon, 8 Jul 2002 [EMAIL PROTECTED] wrote: >> >> >>>+1 >>> >>>But before doing that - would it be possible to replace JSESSIONIDSSO >>>with a mechanism relying only on JSESSIONID ? >>> >>>Even if we patch mod_jk, there are other load balancing solutions >>>( hardware, etc ) - it would be much simpler if from 'outside' >>>we would only use the standard JSESSIONID cookie / path param. >>> >>>Costin >>> >>>On Thu, 4 Jul 2002, Denis Benoit wrote: >>> >>> >>>>Hi, >>>> >>>>With the current code (TC 4.1.6), the single signon does not work with the >>>>loadbalancer connector. >>>> >>>>If a user was logged in a given webapp, the loadbalancer looks at the >>>>JSESSIONID cookie (or URL parameter) to dispatch the request properly to the >>>>tomcat where the user was logged on. But if the user hits another webapp, >>>>the JSESSIONID is not present anymore and the dispatcher applies its >>>>round-robin logic to dispatch the request to any tomcat. It nullifies the >>>>effect of the single signon. There is two problem that prevent it to work. >>>> >>>>1. On the Tomcat side, the generateSessionId() method of >>>> org.apache.catalina.authenticator.AuthenticatorBase does not append >>>> the jvmRoute of the Engine if one is specified. So when a user changes >>>> webapp, the web connector dispatcher does not have any information to >>>> properly route the request; >>>> >>>>2. The current loadbalancer code specifically look for the JSESSIONID cookie >>>> and does not look for a JSESSIONIDSSO cookie. >>>> >>>>I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase >>>>to add the jvmRoute to the session id; in fact it is a copy of the code from >>>>org.apache.catalina.session.ManagerBase. >>>> >>>>The change in: >>>> >>>> ./jk/native/common/jk_lb_worker.c >>>> ./jk/native2/common/jk_requtil.c >>>> >>>>is also trivial, first the connector must look for the JSESSIONID cookie (or >>>>param), and if not found it should look for the JSESSIONIDSSO cookie (or >>>>param). Then the same logic should be applied if either one is found. >>>> >>>>Comments? >>>> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
