• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Passing session to a different machine in JSF

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In my JSF application user starts on primary server where the session begins and then the user is redirected to a different server using sendRedirect. I want to pass some authentication token to the next server from primary server. I am trying to set session attribute as:


And then send it to the next server as:




But this attribute is not reaching the new server. I cannot pass this auth_token as request parameter as that wont be secure. So how to get some session data to new server?
 
Rancher
Posts: 43081
77
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
On a different server you'll have a different session, so that won't work. Maybe SSO is what you really need? See https://coderanch.com/how-to/java/SecurityFaq#web-apps for some Java implementations.

Or maybe you can pass a cryptographically secure token as part of the URL that the target machine can use to look any required information in a shared DB? This token would have to expire quickly, and be valid for just this particular user, so that it can't be captured and reused.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Inter-vm HttpSession sharing isn't a JSF characteristic. It's something that typically has to be configured in the webapp server itself - assuming that the server in question supports such a feature.

Now as far as passing a token for a Do-It-Yourself login system around, DIY logins are notoriously secure even without such complications. The J2EE standard security system can be configured to use a SSO Realm and in that case, not only do you get proven pre-debugged security, but you don't have to do tricks with HTTPSession at all.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:...notoriously secure ...



I am certain that is meant to read "notoriously insecure" :)
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:

Tim Holloway wrote:...notoriously secure ...



I am certain that is meant to read "notoriously insecure" :)



Indeed. As in wet tissue paper.
 
Can you shoot lasers out of your eyes? Don't look at this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic