DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=32837>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=32837 Summary: double login when using ;jsessionid= Product: Tomcat 5 Version: Unknown Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Servlet & JSP API AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] The situation is somewhat complex: - There is a webapp using JDBCRealm - In the webapp there is a Java Web Start application. The JNLP URL is not part of the realm because of an IE cache bug. - There is a Hessian service that is used from the JWS application. (Hessian is a binary protocol via HTTP for remote method invocation.) The Hessian service (servlet) is part of the realm otherwise the principal might not be set (there is a bug # about this). The Hessian servlet needs to know the logged in user for its DB access. This means it has to execute getUserPrincipal and therefor needs to be part of the same session as was authenicated. However a JWS app does not inherit the cookies of its browser. To solve this, the URL accessing the Hessian servlet has a ";jsessionid=" set (the sessionid is passed via de dynamically generated JNLP file). What happens the first time the application is started: - Open index.html: login dialog appears - Login is succesful - Click on JNLP file - JNLP is generated with current sessionid inside - JWS application is downloaded - JWS constructs the URL with ";jsessionid=" attached - Login dialog appears (by JWS) - Hessian service is access within same session. So the solution works, but there is a second login by the JWS enviroment. If the browser is stopped and restarted, there is no second login. Since the need for the login is determined by the webapp server (Tomcat) I must place the cause for this behaviour at Tomcat. This happens with 4.1.29 and 5.5.4. Specifying the session id via ";jsessionid=" is a valid way to attach to a session, so it currently is my opinion this behaviour is not correct. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
