On 4/6/11 7:52 PM, Christopher Schultz wrote: > Sergio, > > On 4/5/2011 9:03 AM, Sergio wrote: >> We have an environment where there will be several instance of the same >> webapp running on tomcat (sharing libraries when possible), each >> connecting to different database. My idea is to have a webapp dedicated >> to login, once the user login I would redirect him to the webapp of his >> company (another context, user in the database is associated with >> company). > > That sounds like a security problem waiting to happen: users can > authenticate to the login webapp and then have free access to any > company's webapp based just upon URL? > >> Something like this: > >> http://webapp.strategos.net/ (WebappLogin context on tomcat) >> http://webapp.strategos.net/company1/ (WebappCompany1 context on tomcat) >> http://webapp.strategos.net/company2/ (WebappCompany2 context on tomcat) > >> Is it possible to redirect browser to different context and share http >> session that was created in the login context? > > HttpServletResponse.sentRedirect should always work. You just need to > make sure that the session will be shared. Read the Tomcat documentation > on SSO for more information. > >> I'm not using tomcat >> authentication, the whole authentication process is done by our webapp >> (if required we can change this). > > I don't believe Tomcat's SSO can work unless you are using Tomcat's > authentication.
Correct. If you're using custom auth, you may be able to implement externalised SSO. There are a number of 3rd party projects that provide this functionality, which is far more sensible that writing your own from scratch. p --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
signature.asc
Description: OpenPGP digital signature
