在Jetty9 WebAppContexts之间实现SSO

Question

The Jetty 9 application I am developing automatically scans a set of JarFiles for web.xml, then programmatically imports the contained webapps as WebAppContexts. I need to implement single sign-on between the individual webapps, as explained in the following tutorial for Jetty 6: http://docs.codehaus.org/display/JETTY/Single+Sign+On+-+Jetty+HashSSORealm . Unfortunately, HashSSORealm seems to have been removed from Jetty. Are there any viable alternatives for implementing simple SSO?

I did find this post recommending the Fediz jetty plugin, but would prefer to use a native jetty solution if such a thing exists: http://dev.eclipse.org/mhonarc/lists/jetty-users/msg03176.html

Further info:

The central issue seems to be that each WebAppContext must have its own SessionManager, making it impossible for the WebAppContexts to share information with one another even when using the same cookie.

Answer 1

I solved the issue- you simply have to assign the same instance of SessionManager to each WebAappContext's SessionManager. It'll look a little something like this, assuming all WebAppContexts are grouped under the /webapps/ context path:

 // To be passed to all scanned webapps. Ensures SSO between contexts
SessionManager sessManager = new HashSessionManager();
SessionCookieConfig config = sessManager.getSessionCookieConfig();
config.setPath("/webapps/"); // Ensures all webapps share the same cookie

// Create the Handler (a.k.a the WebAppContext).
App app = new App(deployer, provider, module.getFile().getAbsolutePath());
WebAppContext handler = (WebAppContext)app.getContextHandler(); // getContextHandler does the extraction
// Consolidating all scanned webapps under a single context path allows SSO
handler.setContextPath("/webapps" + handler.getContextPath());
// Cookies need to be shared between webapps for SSO
SessionHandler sessHandler = handler.getSessionHandler();
sessHandler.setSessionManager(sessManager);

Answer 2

If you share the SessionManager across WebAppContexts, then all of those WebAppContexts share exactly the same session instances. The Servlet Spec says that the WebAppContexts should share session ids, not session contents.

Jan