-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aurélien,
On 3/30/15 4:24 AM, Aurélien Terrestris wrote: >> If you write a Valve (which would be Tomcat-specific, and not >> work under other servlet containers), you could change the way >> Tomcat reads session identifiers from the request (and use a >> request parameter instead of a path parameter). > > Maybe could you also have a look on Filters since they're made for > modifying the request before it reaches the servlet (or modifying > the response after it leaves the servlet) : > > http://www.oracle.com/technetwork/java/filters-137243.html This won't work well with Tomcat's authorization checks, since they occur before the filter chain in invoked. - -chris > 2015-03-30 9:57 GMT+02:00 Wesley Acheson > <wesley.ache...@gmail.com>: >> On Mon, Mar 30, 2015 at 2:17 AM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> > Wesley, > > On 3/29/15 1:15 PM, Wesley Acheson wrote: >>>>> A team I am working with use tomcat 7 as their web >>>>> container. The application cannot use url session tracking >>>>> due to compliance reasons. >>>>> >>>>> One of the requirements we are facing is that the >>>>> application should work in an iframe on the safari web >>>>> browser, which blocks all cookies. > > Do you mean that Safari has been configured to block all cookies? > Because Safari won't block cookies just because you are using an > <iframe >>>>> . > >>> >>> Should have said its a third party domain name. That can't >>> change easily. Should have wrote Safari blocks all third party >>> cookies. >>> >>> > >>> > For this purpose I'd like to post some value around that acts as a >>>>> session Id. However I'm not sure if this is possible? > > If you write a Valve (which would be Tomcat-specific, and not work > under other servlet containers), you could change the way Tomcat > reads session identifiers from the request (and use a request > parameter instead of a path parameter). > >>> >>> I understand that the solution at the moment would be container >>> specific. >>> >>> > > Or you could handle session-management yourself and not use > servlet-spec-style session-tracking (which would be WAY more > invasive to your application). > >>> >>> In the longer term this is probably better. For the immediate >>> term I just need the lease invasive approach for the >>> application. >>> >>> > >>>>> *I'm aware that this won't work for common paradigms such >>>>> as POST-REDIRECT-GET.* >>>>> >>>>> Looking at CoyoteAdaptor.java seems to suggest that session >>>>> Id can only be retrieved using SSL COOKIE and URL. >>>>> >>>>> COOKIE is out because of third party issues. URL is out >>>>> because of compliance. SSL may be a possiblity but only if >>>>> it doesn't involve custom client certificates. >>>>> >>>>> Is there any good place to hook in a post parameter for >>>>> retrieving and reattaching the session? > > I've not done this before. CoyoteAdapter calls > request.setRequestedSessionId in a few places, and I don't believe > CoyoteAdapter can be overridden or replaced directly. > > If you had a Valve that ran before anything else, you might be able > to capture the request, read a request parameter, and then call > setRequestedSessionId yourself with that replacement value. > >>> >>> Thanks very much I'm going to read up on valves now. >>> > > YMMV > > -chris >>> >>> -------------------------------------------------------------------- - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVGVpSAAoJEBzwKT+lPKRY1jkP/0Onuep4c7wOO1UeLB8zeuFc ZOWf7YXhGpzxufTLJAsBrxtZpM/2EOu1Ht1MXjEFaQiSCqnpUsK9m9SnCg98uajw terP6eKGiOO5cIg4+oR6mAdxsDYWNNg+Ksdk1ZUauKKxX3UmKWDNhCLazVUtqSJW qIocqskAYH3VIqhxLbtEyQIGnyy7KQFRFwSS/gQj2aUsklX85+6UNuVZzbGgo6MK q3VcEhOyUYuuvQB78+DP+D1iiYNP1NAyqRtjkBZYilb34LegQvU0jIunvKUzvFqJ w6GLeXqVscVV9wdD9RYf/iIt9K63k+f2xZ+82gNN9IcknNW5o0hMFa+tdHSnjzEk X4kSmrw/e5RBX1yXeD16kadrZfwXsgIXFj9b4ELPaT/Z28ED0vb7GEh3QGC0Q36J X5hAPlZo+G5iXJb7xk8G0QTle3lgWuzeUMYqbIZepUkpvpkjVPqk5w+SkuqLWfzt IoWfL1aIAv8EgA5vS+sQ6ADsT1yYRLzm/n3R2sGnE5Rk8uNDV8C5cqfC7489mUnh SFJrKhnmcW2Jc84Vq+I3ZjAkneN3uBS6lOrX/VuuV3BT4zTOS3Ak/v7yJZ4r22RN qCvceHciuAnNKkUb33jZYwY2eZBfzb3myyjx6guHXQgXZZbzVX7PESDenujrT2FO BoEwFR4BfjOxSrzyoa43 =G7fj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
