antongiuli...@gmail.com wrote:
Hi,
I have a webapp (Spring+Hibernate) running on Tomcat 5.5.15. Tomcat is
configured for Single-Sign-On and it works fine with the login system of the
application (typical login/password).
Anyway at the moment it's not well working when an external link is executed
from a Word file (Microsoft Office 2003/2007 - more info here:
http://support.microsoft.com/kb/899927).
Basically when the link requires a protected page, normally the user is redirected
to the login page and, after a successful login, the page should be displayed. But
it happens only if the user Copy&Paste the link on the browser URL bar.
Instead, if he clicks on the Word file after the login, he is redirected to the
default home page.
I debugged the application, browser cookies and http sessions and it looks like
another session is created:
1) when the link is sent ("200") to the application
2) it returns "302" http status and JSESSIONID (strangely this value is always
the same)
2) Word requires connection again ("200")
3) A new JSESSIONID cookie is created differently from the 1) and returns "200"
the changed session of course cause of the application fails the redirection
after login.
How can I configure Tomcat to make it work with this kind of connection and
keeping on work with the usual login via browser?
Without really digging deep into it, my first impression is that this
will not work, for the following reason :
Your Word instance is a different process than the browser, and it makes
its own connection to the server, distinct from the connection the
browser makes. The server "senses" this, and creates a new session.
Or else (but similar in the effect), to retrieve this document, Word
calls the browser with this URL, and the browser makes a new connection
to the server to retrieve it.
You could try forcing Tomcat to not use cookies, and put the session-id
in the URL (I forget how to do this, but someone here knows and will
tell us).
But even so, I think that the whole scheme is rather flaky, because its
behaviour will be unstable in front of the various combinations of
workstations and browsers, and how they handle this.
If you describe the application a bit more in detail, someone here might
be able to suggest a scheme that works better.
For example, you mention Microsoft Office. Does that mean that all your
potential users are going to be accessing this from Windows
workstations, all of them logged-in in a Windows domain, and that your
server is also in that Windows domain ?
And are the Word document static documents, or are they being generated
on-the-fly for this one logged-in user ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
