2

I have an application with login Id and password. From this application, onclick of a certain menu item, I want to redirect to a different application which also has login Id and password.

I am trying to do this with session.setattribute but going nowhere.

Both the applications are built on Java EE using Struts and Hibernate. Can someone suggest how to do it?

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
  • 1
    These two applications are pointed by same domain? – Vijay Shanker Dubey May 03 '12 at 07:41
  • Sorry did not got your question. –  May 03 '12 at 07:45
  • means, these two apps are deployed on the same domain or there is a cross domain reference need to be established? – Vijay Shanker Dubey May 03 '12 at 07:46
  • They are deployed in the same domain. –  May 03 '12 at 07:47
  • @Cyphon : sesion.setAttribute should work since you say that they are in the same domain. You want the user to login only once, ie if the user logs into one of the applications, he/she must automatically be logged into the other applications also without asking the user for usernameand passwrod again, right? – Ashwin May 03 '12 at 14:18
  • @Ashwin These are two different applications with different login credentials –  May 04 '12 at 12:33
  • @Cyphon : What is it that you finally want to achieve? If both require different login credentials then why do you want to maintain a session or a cookie? – Ashwin May 04 '12 at 13:12
  • @Ashwin I want to access one application from the other providing the login credentials through session. –  May 07 '12 at 10:25

3 Answers3

1

What you are looking for here is what's called "Single Sign On", that is different applications sharing a users credentials between them so the user only has to log in once.

As you have already discovered, sessions are not shared between web applications. Indeed, there are no provisions in the Java Servlet specification for this. Depending on what application server you are using and your deployment architectyure, there are a number of proprietary solutions for this purpose. Simplest example is of you are using tomcat and all your applications are deployed to the same virtual host and realm (and using the same domain). Then you can use the single sign-on valve.

pap
  • 27,064
  • 6
  • 41
  • 46
  • do you mean sending user id and password as URL parameters to the second application and automatically logging the user in? I would not do that as you will be including the password in clear-text in the URL, which will for instance be logged in all access-logs. Better than to redirect with an HTTP POST (like a form submission). – pap May 03 '12 at 10:34
  • @pap : the OP has said that the webapplications are in the same domain. So session will be shared. – Ashwin May 03 '12 at 14:19
  • @Ashwin just because they are in the same domain doesn't mean the sessions are shared. The session is local to the **application**. You may be thinking about cookies which, yes, the browser share between different hosts within the same domain (provided the cookie is defined such). – pap May 04 '12 at 07:12
  • 1
    @pap : The session itself is maintained by a cookie called the JSESSIONID, which has PATH=/ . That means it is accessible from anywhere from the same host. – Ashwin May 04 '12 at 07:56
  • one stupid question "Is it server session or browser session"? –  May 04 '12 at 12:32
  • @Ashwin They may share the same session id, but it will not be the same session in both applications. – pap May 04 '12 at 12:47
  • @pap : are you sure about this? Are you saying that the JSESSIONID cookie will be sent only to the resources of the web application that created it and not to any other web application in the same domain? – Ashwin May 04 '12 at 13:07
  • @Ashwin not sure we understand each other. cookie != session. The JSESSIONID cookie may be shared, although this is not according to specs, default is that the JSESSIONID cookie is tied to a single host. Regardless, the cookie is not the session, it's just an ID value that points to a session stored in the server. – pap May 04 '12 at 15:03
  • @pap : ohk.. so each web application stores attributes corresponding to the JSESSIONID cookie value? Are these attributes stored in some kind of a database ? – Ashwin May 05 '12 at 04:42
0

As, your applications are deployed on the same domain, you can add a cookie with authentication token in the response and read the value of authentication token in the request in the other application.

Other option I can think of is, Create a Authenticated value and put it in database, and send the redirect request to other application with this value as a request parameter. Your other application can read that auth value and validate with database and let the user pass login and password page.

Vijay Shanker Dubey
  • 4,308
  • 6
  • 32
  • 49
0

You cannot communicate directly through the HttpSession between 2 separate applications. What you need to do is use cookies in order to achieve this communication.

Also take a look at this thread, as yours seems to be a possible duplicate of that one.

Community
  • 1
  • 1
Raul Rene
  • 10,014
  • 9
  • 53
  • 75
  • Honestly, I have never tried to communicate between two applications like this. Theoretically, you could do a URL redirect and try to set the attributes on the HttpRequest. – Raul Rene May 03 '12 at 08:30