Sharing Session object between different web applications

Question

Okay this is the problem

I have a Java application running on top of Apache Tomcat & I have this other application too with its own war file running on the same server.

Now I want to authenticate user once & pass that session to the other application.

We can say cross domain session sharing on same Apache Tomcat .. how should I go about it ....?

Thank you

Do you want to pass the fact that they are authenticated, or the contents of the session? — Yishai, Oct 28 '09 at 16:48
see also: http://stackoverflow.com/questions/665941/any-way-to-share-session-state-between-different-applications-in-tomcat — Taylor Leese, Oct 28 '09 at 17:06
This related article may be helpful as well: http://jee-bpel-soa.blogspot.com/2009/06/session-sharing-in-apache-tomcat.html — Taylor Leese, Oct 28 '09 at 17:15
The blog post mentioned above has moved to http://lukaszbudnik.blogspot.com/2009/06/session-sharing-in-apache-tomcat.html — sghill, Dec 07 '12 at 19:10

score 5 · Answer 1 · answered Oct 28 '09 at 16:59

Tomcat provides Single Sign On functionality via a valve specified within Host element in Tomcat's configuration:

<Host name="localhost" ...>
  <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
</Host>

There are certain restrictions applied, take a look at the above link (scroll to Single Sign On section) for details.

score 3 · Answer 2 · answered Oct 28 '09 at 16:54

3

Create a unique token for the session and put in in a db table that both apps access.
Store the token in the users's cookie.
This avoids the session sharing issue and is also more scalable.

answered Oct 28 '09 at 16:54

thethinman

322
1
6

And how are you going to authenticate with the second application using this approach - by faking a request to `j_security_check`? That doesn't exactly seem clean. Please do elaborate on "more scalable" as well. – ChssPly76 Oct 28 '09 at 17:04
Both apps use the token from the cookie to look up the user's session in the shared database. Synchronizing state between servers isn't as scalable as stateless servers. Session state should be in the cookie and database. – thethinman Oct 29 '09 at 03:42
I'm not talking about session state. How are you going to **authenticate** your user? Who's going to set the principal, what'll happen to declarative security, etc. – ChssPly76 Oct 29 '09 at 16:51

score 1 · Answer 3 · answered May 11 '11 at 21:57

Here is how you can code it I have been doing it for another bit of work I am working on ....

First update

/etc/tomcatx/server.xml

For each context that requires to be shared

 <Context path="/servlets" crossContext="true"..
 <Context path="/solutions2" crossContext="true"..

Add the crossContext=true tag to each context now for the code to create and send shared session info

..................................

The code to alter it..

//Context 1 : Sending Servlet Add below
//So this is AuthSuccess - Within The master context doing authentication
//Given examples of vectors sessions and request from
//All the information now allows you to put those new
// provider and providerName session values back into AuthSuccess
//that is executed on other Context -
//In theory once it authenticates you can just store the output i.e.
//email/display/logged in and put it into other context - or...
//as it is process list etc on other context


//Vector example
Vector roles=new Vector();
roles.addElement("COOOGOOO");

 //Redirect url
 String redir="http://mydomain.com/solutions2/AuthSuccess";

 //Get session id
 String sessionid = session.getId();

HttpSession session = req.getSession(true);
session.putValue("provider2","provider_session_info");
session.putValue("providerName2","providerName");
 //Start new shared servlet context
 ServletContext myContext = getServletContext();

//Shared sessioname is obvious and it sends the session id followed by:


// objects,string,sessions,whatever that matches other end
myContext.setAttribute("MYSHAREDSESSION", sessionid);
myContext.setAttribute("GOOFY",roles);

//Send session directly
myContext.setAttribute("SharedSession",session);

//send HttpRequest
myContext.setAttribute("SharedRequest",request);

   //Redirect to new context/domain/subdomain
  Redirect(out,red,response);

//-------------------------------------------------------------

// Now within ther servlets of solution2 within 
// AuthSuccess call back the session info
// and process as per normal

 //Add this to new context path 
   //So it looks in the first context now
  ServletContext firstOne = getServletContext().getContext("/servlets");

  //returns previous session id
  String jsessionid= (String)firstOne.getAttribute("MYSHAREDSESSION");

  //Returns Session as was
  Session ProviderName=(Session)firstOne.getAttribute("SharedSession");
  //Returns session strings we need
  String g1=(String)ProviderName.getValue("provider2");
  String g2=(String)ProviderName.getValue("providerName2");
  pout +="---
 "+g1+"
"+g2;

 //Grab previous request to do req processing if required
 HttpServletRequest nrequest=(HttpServletRequest)firstOne.getAttribute("SharedRequest");

//retrieve vector
Vector goo= (Vector)firstOne.getAttribute("MYVECTOR");
 if (goo.size()>0) {
  for (int a=0; a";

  }
 }

Sharing Session object between different web applications

3 Answers3

Linked