如何在 Tomcat 上将 JSESSIONID 域设置为二级?
我在 Tomcat 上有以下域的可用服务:
sub1.domain1.com
sub2.domain1.com
sub1.domain2.com
sub2.domain2.com
现在我需要对domain1进行透明授权(Spring Security)。如果用户登录到 sub1.domain1.com,他也获得了 sub2.domain1.com 的授权。
这可以通过 Tomcat 的设置来完成
sessionCookieDomain=".domain1.com"
,但现在 sub1.domain2.com 上的授权根本不起作用,因为所有 JSESSIONID cookie 域始终设置为“.domain1.com”。
我怎样才能让tomcat只使用当前域的第二级cookies?
I have a service on Tomcat available at the following domains:
sub1.domain1.com
sub2.domain1.com
sub1.domain2.com
sub2.domain2.com
Now I need transparent authorization (Spring Security) for domain1. If user logs in to the sub1.domain1.com he is authorized on sub2.domain1.com too.
This can be done with Tomcat's setting
sessionCookieDomain=".domain1.com"
But now authorization on sub1.domain2.com doesn't work at all because all JSESSIONID cookie domain is always set to ".domain1.com".
How could I make tomcat use only second level of current domain for the cookies?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
简单的答案是没有简单的答案。本质上,您需要一个主登录站点,以及辅助站点为其域设置 cookie 的方案,以克隆主站点的会话令牌。实现这一点很复杂。
Shibboleth 和 JASIG CAS 是两种可能的 SSO 技术。
有关更多详细信息,请参阅跨多个域的单点登录的答案
如果
foo.domain1.com尝试设置路径.domain2.com或anything.domain2.com的 cookie,浏览器将忽略它出于安全原因。您必须经历复杂的重定向过程才能在两个域上设置 cookie。阅读我链接到(上面)的问题/答案以了解更多详细信息。The simple answer is that there is no simple answer. Essentially you need a primary login site, and scheme whereby secondary sites get to set cookies for their domain that clone the primary site's session token. Implementing this is complicated.
Two possible SSO technologies are Shibboleth and JASIG CAS.
For more details, refer to the answers to Single Sign On across multiple domains
If
foo.domain1.comtries to set a cookie with path.domain2.comoranything.domain2.com, the browser will ignore it for security reasons. You have to go through a complex dance of redirections to set the cookies on both domains. Read the question / answers I linked to (above) for more details.