5

I am developing A Web Application using JSP & Servlets (Container: Tomcat7, Database: Oracle10)

I have developed some web applications like Profile, Reports, Leads. Then I have developed A Login application. In this application I am storing USERID in Session with some more session attributes.

After user logs in he will be shown menu which contains links to other Applications like links to Profile Application.

So when I access Session after user log in:

  • If I try to access session withing the same application(Login) then I get session with all the required attributes
  • But when I try to access session from other applications like Profiles then I get session as null

code snippet to check session (Servlet Filter in Login web application)

HttpSession session = request.getSession(false);
if(session==null)
{
    System.out.println("Session does not exist... Redirected to LOGIN Page.");
    response.sendRedirect("/ApplicationName/Login.jsp");
}

I am accessing session in Profile application to check whether user is logged in or not.

Then I have searched, and I have found that Session can't be accessed from other applications for security reasons.(I have also found that it can be done by setting crossContext="true")

Then I have found other option like making EAR of all applications and then deploy it, but unfortunately EAR it is not supported by Tomcat7.

I am new to web environment, so if anyone has worked on this before then please let me know what can be the options?

Thanks in advance

Update1

Now I have decided to use EAR, in which I will pack all WAR files and then I will try to share session between them. since Tomcat doesn't support EAR I have installed Oracle Glassfish, Then I have created Enterprise Application Project which contains two Applications 1. Login and 2. Profiles, and then created EAR file, and deployed it on Glassfish. So I want to share session between those two applications(on Glassfish), so if anybody has any idea about it then please let me know. (link to any tutorial will also be appreciated)

Bhushan
  • 6,151
  • 13
  • 58
  • 91
  • means you want to share data between several application running on same web server. This you can do with some manipulation in web servers Catalina. I don't think there will be another method for doing this, – Nikhil Agrawal Apr 17 '13 at 12:47
  • @Nikhil yes, i want to share data between several applications running on same web server(tomcat7) – Bhushan Apr 17 '13 at 12:48
  • http://stackoverflow.com/questions/9293350/domain-level-session-cookie-on-multiple-domains keywords: domain level session cookies – Joop Eggen Apr 17 '13 at 12:48
  • single sign on may help you – Krushna Apr 17 '13 at 12:49
  • I think you need to re-consider your architecture. Login should not be an application. It should be a module or service that your application uses. – Apurv Apr 17 '13 at 12:49

2 Answers2

5

As pointed above, the requirement you talking about is Single Sign On (SSO). The simplest SSO that you can implement is the following:

  1. After the successful authentication add the cookie with the encrypted user name (you do not need to encrypt a password)
  2. If you access any of your application with the user name cookie and success to decrypt it, it means that a user was authenticated and you should not show the login page.

Use AES-256 for the encryption.

Michael
  • 10,063
  • 18
  • 65
  • 104
4

The way I have seen this done in my shop is to stuff the login credentials into an encrypted cookie and install agents (java filters, web servers mods etc, in front of the applications that need the user data) that will decrypt the cookies and pass along the data to the downstream applications. Do not store login information in HTTP session if you want to share it across applications.

Mahesh Guruswamy
  • 769
  • 5
  • 15
  • @GaborSch can you elaborate why you think its hacky? If the web applications are running on different domains and user identities are totally not related, then I would consider putting in a full SSO solution. But if your applications are all on the same domain, I don't see any issues with this approach. – Mahesh Guruswamy Apr 17 '13 at 14:05
  • I wouldn't store any user credentials in a session cookie, either encrypted or not. That's a potential security vulnerability; though if you're encrypting with an assymetric encoding that may be fine. Anyway, IMHO that would involve too many components. – gaborsch Apr 17 '13 at 14:12
  • Use [Kerboros](http://web.mit.edu/kerberos/) to handle this for you. Why re-invent the wheel. – drunkenRabbit Apr 17 '13 at 14:16
  • 1
    @GaborSch Anything that you propagate through the browser is going to be vulnerable (SSL or not). There are many ways to make it secure. Like for e.g. storing a opaque reference to the user id and map it back to actual ids downstream ..etc. From a complexity perspective, setting up a good encryption framework is not anymore complex than setting up a SSO framework. In fact, a good encryption framework is essential for SSO (SAML, OAuth etc.) – Mahesh Guruswamy Apr 17 '13 at 14:21
  • @GaborSch poster is clearly describing symmetric encryption as he is referring to filters that "will decrypt the cookies". I am sorry but this makes no sense. What cryptographic keys will the filters use to decrypt the cookies? Are the keys hardcoded in the filters' implementation? – Marcus Junius Brutus Nov 24 '16 at 03:06