+1 But before doing that - would it be possible to replace JSESSIONIDSSO with a mechanism relying only on JSESSIONID ?
Even if we patch mod_jk, there are other load balancing solutions ( hardware, etc ) - it would be much simpler if from 'outside' we would only use the standard JSESSIONID cookie / path param. Costin On Thu, 4 Jul 2002, Denis Benoit wrote: > Hi, > > With the current code (TC 4.1.6), the single signon does not work with the > loadbalancer connector. > > If a user was logged in a given webapp, the loadbalancer looks at the > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the > tomcat where the user was logged on. But if the user hits another webapp, > the JSESSIONID is not present anymore and the dispatcher applies its > round-robin logic to dispatch the request to any tomcat. It nullifies the > effect of the single signon. There is two problem that prevent it to work. > > 1. On the Tomcat side, the generateSessionId() method of > org.apache.catalina.authenticator.AuthenticatorBase does not append > the jvmRoute of the Engine if one is specified. So when a user changes > webapp, the web connector dispatcher does not have any information to > properly route the request; > > 2. The current loadbalancer code specifically look for the JSESSIONID cookie > and does not look for a JSESSIONIDSSO cookie. > > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase > to add the jvmRoute to the session id; in fact it is a copy of the code from > org.apache.catalina.session.ManagerBase. > > The change in: > > ./jk/native/common/jk_lb_worker.c > ./jk/native2/common/jk_requtil.c > > is also trivial, first the connector must look for the JSESSIONID cookie (or > param), and if not found it should look for the JSESSIONIDSSO cookie (or > param). Then the same logic should be applied if either one is found. > > Comments? > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
