This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin in Action and have Dmitry Jemerov & Svetlana Isakova on-line!
See this thread for details.
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Passing session to a different machine in JSF  RSS feed

 
Akhil Pratap Singh
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my JSF application user starts on primary server where the session begins and then the user is redirected to a different server using sendRedirect. I want to pass some authentication token to the next server from primary server. I am trying to set session attribute as:


And then send it to the next server as:




But this attribute is not reaching the new server. I cannot pass this auth_token as request parameter as that wont be secure. So how to get some session data to new server?
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On a different server you'll have a different session, so that won't work. Maybe SSO is what you really need? See http://www.coderanch.com/how-to/java/SecurityFaq#web-apps for some Java implementations.

Or maybe you can pass a cryptographically secure token as part of the URL that the target machine can use to look any required information in a shared DB? This token would have to expire quickly, and be valid for just this particular user, so that it can't be captured and reused.
 
Tim Holloway
Bartender
Posts: 18709
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Inter-vm HttpSession sharing isn't a JSF characteristic. It's something that typically has to be configured in the webapp server itself - assuming that the server in question supports such a feature.

Now as far as passing a token for a Do-It-Yourself login system around, DIY logins are notoriously secure even without such complications. The J2EE standard security system can be configured to use a SSO Realm and in that case, not only do you get proven pre-debugged security, but you don't have to do tricks with HTTPSession at all.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:...notoriously secure ...


I am certain that is meant to read "notoriously insecure" :)
 
Tim Holloway
Bartender
Posts: 18709
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:
Tim Holloway wrote:...notoriously secure ...


I am certain that is meant to read "notoriously insecure" :)


Indeed. As in wet tissue paper.
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!