Distribute jsp session web application
Hi everybody,
I explain my problems:
Question 1:
I need to integrate 2 web applications which runs in 2 different
machine server (JBoss) in order to navigate them inside common session,
with some sessionID or something like that.
So, the scenario is:
webApp1 -----> WServer1(https)
webApp2 -----> WServer2(http)
When from webApp1 I call with link the webApp2, I need by some way to
tell webApp2 that only webApp1 is authorized to go on.
The problem is that when I switch from https to http, the "url-referer"
being lost and webApp2 can't recognize the caller!!!
Anybody has some suggestions on how to fix it?
Question 2:
How can realize a jsp/servlet page in order to avoid malicius people to
save url ([url]http://mysite.com?orderNr=123&UserName=aaa&Password=7654[/url]) and
then use it in a new window browser to navigate on site without has
been authenticated???
Many many thanks in advance!!!
Re: Distribute jsp session web application
[email]ocean2005@hotmail.it[/email] wrote:[color=blue]
>
> Question 2:
> How can realize a jsp/servlet page in order to avoid malicius people to
> save url ([url]http://mysite.com?orderNr=123&UserName=aaa&Password=7654[/url]) and
> then use it in a new window browser to navigate on site without has
> been authenticated???[/color]
First of all, never, never, show the password on a URL string. Avoid
username too. Pass them along as session attributes. your second
question automatically gets taken care of.
Re: Distribute jsp session web application
"HalcyonWild" <Halcyon.Wild@gmail.com> wrote in message
news:1129543854.293125.55740@g44g2000cwa.googlegroups.com...[color=blue]
>
> [email]ocean2005@hotmail.it[/email] wrote:[color=green]
>>
>> Question 2:
>> How can realize a jsp/servlet page in order to avoid malicius people to
>> save url ([url]http://mysite.com?orderNr=123&UserName=aaa&Password=7654[/url]) and
>> then use it in a new window browser to navigate on site without has
>> been authenticated???[/color]
>
>
> First of all, never, never, show the password on a URL string. Avoid
> username too. Pass them along as session attributes. your second
> question automatically gets taken care of.[/color]
As a general rule of thumb, you should ask yourself "Should I allow my
users to share this link or otherwise bookmark it?" if so, then use GET
attributes as in the example above. Otherwise, use POST or a Session object
as Halcyon advises.
It may occasionally make sense to allow the username to appear in the
query string; e.g. [url]http://mysite.com/profile.jsp?username=Oliver[/url] if you want
to let your users give their friends a direct link to their profile.
- Oliver
