On Sat, 28 Sep 2002, Phillip Rhodes wrote:
> Date: Sat, 28 Sep 2002 13:51:18 -0400
> From: Phillip Rhodes <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: filter to change jsessionid cookie almost done,
> but need little help
>
> I am writing a package that will facilitate sso between java based
> applications that will be released open source and free.
>
You might also consider just using the single sign on support provided by
your container. For Tomcat 4, see the documentation at:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html
and scroll down to the section entitled "Single Sign On".
> Part of the problem is that the tomcat cookie name is NOT at all
> configurable.
> When jsessionid is set, the host of the domain is present, the scope is set
> to the webapp, etc...
>
The cookie name is standardized by the servlet spec -- there is no reason
to make it configurable.
> I wrote a filter that reads the jsessionid and change the scope and domain
> that it can be read by any application in that domain.
> My problem is that in the first request in my filter (and to the app), the
> cookie may not be set.
> No problem (or so i thought!) . I created a HttpResponseWrapper and
> HttpRequestWrapper and pass that onto the filter chain.
> When someone calls addCookie on the response (my wrapper) , I put in in my
> requestwrapper, so I can read cookies that are set in the present
> request/response.
> After I do the filter.doChain method, I again check for the jsessionid
> cookie. It's not set in the HttpRequestWrapper that I passed onto the
> chain, but I DO know it's being set by the time my browser gets it.
>
IMHO, you are following the wrong strategy. It's perfectly reasonable to
support single sign on across apps that have independent sessions (and
even apps that don't involve sessions at all). The Tomcat implementation
accomplishes SSO with a separate cookie.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
