如何将会话从一台 Tomcat 服务器转移到另一台?
我们有一个用于网店的 Tomcat 服务器,当用户登录时,我们需要将用户转移到另一台(安全)服务器。以下是详细说明:
1)我们有两个 Tomcat 服务器:一个“常规”(HTTP)和一个安全 (HTTPS)
2) 用户最初访问常规服务器
3) 当他们登录时,我们需要获取他们的登录数据,以及有关他们当前所在页面(或试图查看)的信息,将其传递到安全服务器并进行实际登录;例如,未登录的用户看到产品列表,单击“购买”并显示弹出窗口,要求用户登录;用户输入他/她的凭据,这些凭据以及有关他想要购买什么产品的信息将被传递到安全服务器;安全服务器接收这些信息,执行登录并向用户显示请求的产品,
这是怎么做到的?请注意以下几点:
1) 我们尝试过使用 cookies,但我们决定不这样做
2) 将会话保留到数据库,然后让安全服务器获取它也不是一个选项
有没有其他方式?我们正在考虑创建一个对象,然后将其作为 HTTP POST 参数传递,但我不确定如何做到这一点(我被赋予了完成它的任务)。
就其价值而言,我们使用的技术是 Tomcat 服务器、Wicket、Spring、iBatis 和 MySQL。
提前致谢 :)
We have a Tomcat server for a web shop, and we need to transfer the user to another (secure) server when he/she logs in. Here's a detailed explanation:
1) We have two Tomcat servers: one 'regular' (HTTP) and one secure (HTTPS)
2) Users initially visit the regular server
3) When they log in, we need to get their log in data, as well as the information about what page they were currently on (or were trying to see), pass it to the secure server and do the actual login; for instance, a non-logged in user sees a list of products, clicks 'BUY' and a popup is displayed, asking the user to log in; the user enters his/hers credentials and these, as well as the information about what product he wants to buy, are passed to the secure server; the secure server receives these, performs the login and displays the requested product to the user
How could this be done? Please note the following:
1) We've tried doing it with cookies, but we've decided not to go that way
2) Persisting the session to a database and then having the secure server fetch it is also not an option
Are there any other ways? We were thinking about creating an object and then passing it as a HTTP POST parameter, but I'm not sure how this could be done (I've been given the task to finish it).
For what it's worth, the technologies we use are Tomcat server, Wicket, Spring, iBatis and MySQL.
Thanks in advance :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果要在不同 Tomcat 实例之间共享会话,可以将它们配置为具有会话复制功能的集群:http://tomcat.apache.org/tomcat-7.0-doc/cluster-howto.html
然后,您可以配置 Apache HTTP Server 作为负载均衡器,从而使确保 HTTP 请求发送到服务器 1,HTTPS 请求发送到服务器 2。
但是,您也可以只配置一个 Tomcat 实例(或 N 个相同的实例)来同时处理 HTTP 和 HTTPS,并确保使用标准 (
...CONFIDENTIAL ...
in web.xml)或特定于框架的配置。If you want to share the session between different Tomcat instances, you could configure them to work as a cluster with session replication: http://tomcat.apache.org/tomcat-7.0-doc/cluster-howto.html
Then, you could configure an Apache HTTP Server to work as a load balancer, making sure that HTTP requests go to server 1 and HTTPS requests go to server 2.
But, you could also have only one Tomcat instance (or N identical instances) configured to handle both HTTP and HTTPS, and ensure the secure access with standard (
...<transport-guarantee>CONFIDENTIAL</transport-guarantee>...
in web.xml) or framework-specific configuration.不确定我是否明白您想要的要点,但您可以让“弹出窗口”成为从安全应用程序到受保护 URL 的页面。这将导致身份验证在安全服务器上进行,您可以从那里开始。例如,如果不安全的产品页面位于 www.domain.com/browse/id1,则“购买”按钮将打开一个弹出窗口到 secure.domain.com/buy/id1,从而在传输产品时进行身份验证URL 上的 id。
Not sure if I'm getting the gist of what you want but you could have the "pop-up" be a page served from the secure application to a protected URL. That would cause the authentication to occur at the secure server and you could go from there. For example, if the unsecured product page is on www.domain.com/browse/id1, then the "buy" button would open a pop-up to secure.domain.com/buy/id1, causing the authentication while transmitting the product id on the URL.