Re: SSO Token not found with RewriteRules

Tue, 17 Jan 2023 02:21:16 -0800 

On 17/01/2023 09:43, Mark Thomas wrote:

On 16/01/2023 23:07, Jerry Malcolm wrote:
Well, after downloading and installing the Tomcat source in my Eclipse environment and tracking through a bunch of breakpoints, I figured out what was happening.   SingleSignOn.invoke() was querying for the list of cookies in the request (that were indeed present in the request), but was returning null.  Since no cookies were 'found' there was no JSESSIONIDSSO cookie found, and everything failed from that point on. So I started tracking why the cookies that were present were being ignored.  convertCookies was called, which did a getContext() which returned null, so everything aborted.  getContext() failed apparently because I did not have a ROOT webapp (context) defined.  I added a dummy ROOT webapp, and voila.... 


So.... the bottom line to the entire problem is that RewriteRules with 
SSO is not permitted UNLESS there is a dummy ROOT webapp defined.  I'm 
not sure why this would be  a requirement, and I was not able to find 
any documentation about it.   I understand why SSO might require 
contexts.  But the primary purpose of RewriteRules is to hide the 
plumbing on the URL line.  If the requirement for context present is 
required for SSO, then it would seem to me that the context should be 
checked on the target of the rewrite, not the original string being 
rewritten, since it most likely will not have a valid context.  And a 
dummy unused ROOT webapp just takes up resources. The reason it worked 
in the other virtual host is that I actually did have a need in that 
host for a ROOT context.



This one was painful.  Just out of curiosity, is this restriction 
intended?  If so, error messages and/or documentation of it might need 
a review.



No. The restriction isn't intended. See this discussion around a similar 
issue:

https://github.com/apache/tomcat/pull/479


Generally, not having a ROOT context is sufficiently unusual that it is 
rare for users to fund bugs like this.



A similar approach should fix this - assume the default CookieProcessor 
if no context is found.



Quick question. Is the SingleSignOn valve configured before the Rewrite 
valve in your Host?


Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to