Search code examples
sessionservletssharing

How to make two different Applications running under same server use same HTTPSession

I have got two Applications running under the same Server (Tomcat 7)

Under First Application I have got a Login page with username and password fields .

On click of the Logon Button , i am calling a Jersey RESTFUL Service (different Application ).

<html>
<head>
<title>Login Page 122</title>
</head>
<body>
<form action="LoginServlet" method="post">
Username: <input type="text" name="user">
<br>
Password: <input type="password" name="pwd">
<br>
<input type="button" value="Login User" onclick="LoginAdmin()">
</form>
</body>
</html>

   function LoginAdmin() {
            $.ajax({
                type: 'GET',
                url: url + '/RFS/admin/adminlogin?UUID=' + UUID ,
                //contentType: 'application/json; charset=utf-8',
                jsonpCallback: 'jsonCallback',
                cache: true,
                dataType: 'jsonp',
                jsonp: false,
                success: function (response) {
                    var testdata = JSON.stringify(response);

                },
            });

        }

The RESTFUL Service will validate the Data against the Database and if its successful I am setting a attribute in HttpSession .

session.setAttribute("user","LoggedIN");

Under Application First I have written a Filter which protects HTML Resources from directly acessing without user logging in .

Now inside my Filter I am trying to use that session attribute in my servlet Filter .

But the issue is that as both being two different Applications both are having two different sessions

So the reason always the session attribute i am getting is NULL

public class AuthenticationFilter implements Filter {
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,   ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        String uri = req.getRequestURI();
        this.context.log("Requested Resource::"+uri);
        HttpSession session = req.getSession(false);
        if(session == null || !session.getAttribute("user").toString().equals("LoggedIN")){
            this.context.log("Unauthorized access request");
            System.out.println("Into session is null condition");
            res.sendRedirect("login.html");
        }else{
           System.out.println("Into chain do filter");
            chain.doFilter(request, response);
        }
    }
    public void destroy() {
    }
}

Is there any way we can solve this ??

Solution

  • IMHO, it is not possible to share a session between different application. But it is indeed possible to share authentication. It is called Single Sign On, and a full example for that is CAS.

    Here are generalities about it, with 3 parts : a client (typically a browser), a web application and an authentication server

    • client asks for a protected page requiring authentication
    • webapp redirects to authentication server with a reference to the asked page
    • authentication server authenticates client and and redirects back to web application at a special URL for ticket validation with a one time ticket as parameter of request
    • web application gets the ticket and asks authentication server for user references (passing the ticket) ; authentication server looks for the ticket and sends back user information - web application can then put user id in session : the client is authenticated on web application

    The low level part in web application is automated by a client library.

    You can either directly use CAS, or use that as guide of how to do remote authentication. I urge you to look at the full protocol description because this answer can only be used as a general introduction.