8 Replies Latest reply on Nov 29, 2010 11:53 AM by mrfixit440

new session id with new browser window with tomcat 6.0.29

mrfixit440 Nov 19, 2010 12:42 PM

I have a webapp deployed to jboss 4.2.3.GA(including tomcat 6.0.20) with a IIS frontend using AJP 1.3. IIS is using CAC authentication and will forward to jboss when successfull. The first jsp that is hit after login, saves request.getRemoteUser() to session, creates a user object and saves that to session, and then it opens a new window to load a second jsp. This second jsp reads the user object from session and begins to populate page with user specific info. This setup works good.

However, when I upgrade jbossweb.jar to tomcat 6.0.29, the session id is different between the 2 jsp pages, so I never can get the user object out of session in the second jsp and it fails to populate. Both jsp's are in the same web context. I tried firefox and IE 7. It seems like the new browser window is causing the second jsp to report a different session id than the first jsp.

Is there a configuration setting that I need to set for 6.0.29?

Here is my server.xml snippet:

Here is my jboss-web.deployer/context.xml:

   To enable session persistence for a single web app, add a
   WEB-INF/context.xml
   -->
   <Manager pathname="" />

<InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>

</Context>

1. Re: new session id with new browser window with tomcat 6.0.29

jfclere Nov 22, 2010 2:28 AM (in response to mrfixit440)

Dan Rush wrote:

However, when I upgrade jbossweb.jar to tomcat 6.0.29,
What did you do?
Actions
2. Re: new session id with new browser window with tomcat 6.0.29

mrfixit440 Nov 23, 2010 1:23 PM (in response to jfclere)

i built tomcat 6.0.29 and replaced the org packages in jbossweb.jar. I just built 6.0.20 and 6.0.24 and tested them. 6.0.20 works and 6.0.24 has the same symptoms as 6.0.29. Is there some detailed release notes for 6.0.24 that I can look at?
Actions
3. Re: new session id with new browser window with tomcat 6.0.29

mrfixit440 Nov 23, 2010 2:25 PM (in response to mrfixit440)

I found my problem. In my web app, I extended AuthenticatorBase and in my authenticate method, I do this:

Principal principal = context.getRealm().authenticate(username, password);
if (principal != null) {
    register(request, response, principal, "EXTERNAL", username, password);
}

EXTERNAL is defined as an Authenticator in jboss-web.deployer/META-INF/jboss-service.xml
EXTERNAL is also set in web.xml, like this:
<login-config>
      <auth-method>EXTERNAL</auth-method>

The register method in AuthenticatorBase does this:

if (session != null && changeSessionIdOnAuthentication) {
            Manager manager = request.getContext().getManager();
            manager.changeSessionId(session);
            request.changeSessionId(session.getId());
}

My authenticate method is getting called by AuthenticatorBase.invoke method for every page and session id is getting changed by request.changeSessionId(session.getId()); in AuthenicatorBase which was introduced in 6.0.24.

What can I do to stop this?
Actions
4. Re: new session id with new browser window with tomcat 6.0.29

jfclere Nov 24, 2010 3:06 AM (in response to mrfixit440)

Dan Rush wrote:

i built tomcat 6.0.29 and replaced the org packages in jbossweb.jar. I just built 6.0.20 and 6.0.24 and tested them. 6.0.20 works and 6.0.24 has the same symptoms as 6.0.29. Is there some detailed release notes for 6.0.24 that I can look at?
That won't work the jbossweb.jar should be build from http://anonsvn.jboss.org/repos/jbossweb/branches/JBOSSWEB_2_0_0_GA_CP/
Actions
5. Re: new session id with new browser window with tomcat 6.0.29

jfclere Nov 24, 2010 3:14 AM (in response to mrfixit440)

Dan Rush wrote:

I found my problem. In my web app, I extended AuthenticatorBase and in my authenticate method,
the code in jbossweb is different to Tomcat....
Actions
6. Re: new session id with new browser window with tomcat 6.0.29

mrfixit440 Nov 24, 2010 12:48 PM (in response to jfclere)

----- That won't work the jbossweb.jar should be build from
------ http://anonsvn.jboss.org/repos/jbossweb/branches/JBOSSWEB_2_0_0_GA_CP/

Reading about jbossweb versions, the latest jbossweb version corresponds to the latest tomcat version. Do I get this one for tomcat 6.0.29?

http://anonsvn.jboss.org/repos/jbossweb/branches/JBOSSWEB_2_1_7_GA_JBPAPP-5170/
Actions
7. Re: new session id with new browser window with tomcat 6.0.29

jfclere Nov 25, 2010 2:50 AM (in response to mrfixit440)

Reading about jbossweb versions, the latest jbossweb version corresponds to the latest tomcat version.
jbossweb is a fork of tomcat 6 we only port the security issues, selected issues and the issues reported by our customers or our user.
http://anonsvn.jboss.org/repos/jbossweb/tags/JBOSSWEB_2_0_0_GA_CP15/ corresponds to tomcat 6.0.29 we will/may do a CP16 once 6.0.30 will be out.
Actions
8. Re: new session id with new browser window with tomcat 6.0.29

mrfixit440 Nov 29, 2010 11:53 AM (in response to jfclere)

Thanks, you've been a great help!
Actions

Go to original post