On Mon, 8 Jul 2002, Denis Benoit wrote: > I think it would be difficult, since JSESSIONID is distinct for each > webapp on a Tomcat, only JSESSIONIDSSO (if the SingleSignon valve > is activated) is common to all webapps. > > I'll try to think of something, but if you think of something first, > let me know :)
Well, my thinking is that in order to have 'single signon' you need a way to have a single cookie ( or path param if cookies are disabled ) across all webapps. Whatever mean to get that as JSESSIONIDSSO, it can be used for JSESSIONID as well. So I would add a hook into the session id generator - and have the single signon use the hook to push session ids. If we want to have distinct sessions in each webapp - the session id would consist of the 'common' part and a per-webapp part. In general, my view of single signon is that each app must redirect to an auth application ( similar with kerberos for example) and use the certificate as session id for all webapps. Costin > > On Mon, 8 Jul 2002 [EMAIL PROTECTED] wrote: > > > +1 > > > > But before doing that - would it be possible to replace JSESSIONIDSSO > > with a mechanism relying only on JSESSIONID ? > > > > Even if we patch mod_jk, there are other load balancing solutions > > ( hardware, etc ) - it would be much simpler if from 'outside' > > we would only use the standard JSESSIONID cookie / path param. > > > > Costin > > > > On Thu, 4 Jul 2002, Denis Benoit wrote: > > > > > Hi, > > > > > > With the current code (TC 4.1.6), the single signon does not work with the > > > loadbalancer connector. > > > > > > If a user was logged in a given webapp, the loadbalancer looks at the > > > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the > > > tomcat where the user was logged on. But if the user hits another webapp, > > > the JSESSIONID is not present anymore and the dispatcher applies its > > > round-robin logic to dispatch the request to any tomcat. It nullifies the > > > effect of the single signon. There is two problem that prevent it to work. > > > > > > 1. On the Tomcat side, the generateSessionId() method of > > > org.apache.catalina.authenticator.AuthenticatorBase does not append > > > the jvmRoute of the Engine if one is specified. So when a user changes > > > webapp, the web connector dispatcher does not have any information to > > > properly route the request; > > > > > > 2. The current loadbalancer code specifically look for the JSESSIONID cookie > > > and does not look for a JSESSIONIDSSO cookie. > > > > > > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase > > > to add the jvmRoute to the session id; in fact it is a copy of the code from > > > org.apache.catalina.session.ManagerBase. > > > > > > The change in: > > > > > > ./jk/native/common/jk_lb_worker.c > > > ./jk/native2/common/jk_requtil.c > > > > > > is also trivial, first the connector must look for the JSESSIONID cookie (or > > > param), and if not found it should look for the JSESSIONIDSSO cookie (or > > > param). Then the same logic should be applied if either one is found. > > > > > > Comments? > > > > > > > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
