May 2 web applications share user session info ?

I have 2 web application (app1.war and app2.war).
app1 set user session info.
I wish app2 to read that user session info.
Is this possible ?
Thank you.

As far as I understood, SSO needs an Infrastructure or (OID) installed. If the original idea of LDAP is to help the enterrprise centralized their User information, makes management of the commonly used information easier. Why Oracle requires its own OID to do SSO?
Now, say, in an environment, if an organization has already had an LDAP server (such as MS AD, or Sun's iPlanet AD) in place, why should they install the Oracle's Internet Directory?
This is big headache for management just trying to configure and keep different LDAP servers synchronized.
Sharing user session info is a very common requirement for integrating. Is there a simple way (other than SSO) to achieve this? Will Servlet Filter be able to handle this?
Thanks.

Similar Messages

  • Requesting user/session info causing error

    The provider application consists of 4 PDK .jar files (pdkjava.jar ptlshare.jar regexp.jar tidy.jar) among other things. It was working fine until User/Session info (per login) was requested. Now the following error is returned when adding a portlet page:
    The following error occurred when attempting to call the initSession of the Web Provider: DOCMEIPURLSUN
    SOAP-ENV:Server.Exception, , java.lang.NullPointerException at oracle.portal.provider.v2.http.URLProviderInstance.initSession(Unknown Source) at oracle.webdb.provider.v2.adapter.soapV1.ProviderAdapter.initSession(Unknown Source) at java.lang.reflect.Method.invoke(Native Method) at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.doMethodCall(Unknown Source) at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.processInternal(Unknown Source) at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.process(Unknown Source) at oracle.webdb.provider.v2.adapter.SOAPServlet.doSOAPCall(Unknown Source) at oracle.webdb.provider.v2.adapter.SOAPServlet.service(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:336) at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59) at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283) at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523) at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269) at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735) at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:151) at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
    Did I miss a PDK .jar file? Or did I miss some setup to enable User/Session info?

    It was our own application. Actually, it was a partner's web application. To integration it with Portal PDK V2, we added the 4 .jar files.
    Our real problem is not getting cookies sent from the application through the portal to the browser. That's why we tried different settings on the provider/connection page. First we checked the box 'Web provider in same cookie domain as the portal'. That didn't help. Then we selected the 'Once Per User Session'. Because of the error, we changed it back to 'Never'. Finally, we checked the box 'Require portal user specific session information'. It also didn't help.
    How could we solve the cookie problem?

  • Authentication in clustered web application without sticky session

    I have built JSP/Servlet/Struts application in the past on a cluster of app servers. Each app server has its own JVM running the Servlel Container. All of the HTTP requests come into a hardware load balancer, which directs the requests to one of the app servers in the cluster.
    I have wanted to use the Java HttpSession management without any kind of distributed session provided by the app server. We have used "sticky" sessions. The application writes a cookie to the client on the first request. The load balancer looks for that cookie on subsequent requests and directs the request to the server that originally wrote the cookie. This ensures that all requests within the same session are handled by the same application server. This also means that if I do request.getSession().setAttribute("authenticated",true) on one request, when I do request.getSession().getAttribute(authenticated) on subsequent requests in the same session, I can be sure the value will not be null. This allows me to create a filter that checks for that session attribute on each request, and if it is false or null, redirect the request to some sort of login page. Otherwise I can be sure the user has logged in.
    I want to build a stateless/non-session based application that can still handle authentication. What I mean by that is that I don't want the load balancer to have to send requests for the same session all to the same server. I would like the load balancer to send each request where ever it wants. That means the simple authentication example I explained in the last paragraph would not work. The user could login on server A, but then on a subsequent request during the same "session", the user's request could be handled by server B. In that case, the session attribute would be null, and the app would think that the user has not logged in.
    My application can require that users have cookies enabled, so therefore I can assume the user is accepting cookies (I would have something to check that and redirect the user to an error page saying "turn cookies on" if cookies weren't on). I think one thing that I could do is use encrpytion with a key that is shared between all the servers in the cluster. For example, user logins in on server A, server A writes a cookie with the contents "username,1109272102009". The first part being the username that the user successfully authenticated as and the second part being a timestamp for when the cookie was created. The contents of the actual cookie would be encrypted and I would send the ciphertext as the value of the cookie. When server B gets the cookie, it can decrypt the ciphertext (using the same key as was used to encrypt the data on server A), and check that the username is valid and that the timestamp does not exceed some timeout. The timestamp in the cookie would then have to be updated for the next request.
    So my question is (thanks for sticking with me and reading this really long post), has anyone done anything like this before? Is what I have described totally ridiculous or insecure? Are there any books or articles that describe a pattern similar to this that has been know to work well?

    I have worked on a web site that did exactly that.
    The cookie contained a little bit more information - there was a small amount of user data that were needed on heavily accessed pages.
    You'll have a problem if your web application uses attributes. We solved this by keeping most stuff in hidden inputs (backed up by hidden input cryptographic checksums in places where forgery was a concern.) HttpSession attributes have some problems and gotchas.
    A few possible fine tunings:
    Add a random number to the cookie. Should make known plaintext attacks harder.
    Add some extra stuff to the cookie, so that any random hex string that happens to decode to "xZoiyqw,15" isn't accepted. It's easy to try a million cookies until you get "<something>,<integer>" but getting "<something>,<integer>,HelloHowAreYou" is a lot harder.
    Be paranoid in checking the format of the cookie. If you add a random number, check that it is all digits etc. Belt and suspenders: also check that the time stamp isn't in the future (allow e.g. 15 seconds future time, in case different servers' clocks are a bit off.)
    Don't update the cookie at every hit, only if the time stamp is older than a couple of minutes. Saves encryption CPU power.
    After encrypting, prepend a short version number to the cookie. E.g. if the hex cookie is ABCDEF, make it 1ABCDEF. If you later e.g. change the encryption algorithm, change version to 2 and you can easily skip any obviously non-decipherable cookies. A second version number within the cookie might or might not be useful.
    Even though you can make random load balancing, consider not doing that. E.g. a server might pull the user's name from the database into memory cache. You get less database traffic and smaller caches if the user still goes to the same server. If a server goes down, only then switch him elsewhere. Downside though: if one server is "half alive" (doesn't respond to requests but alive enough so the load balancer doesn't notice the malfunction), all users bound to that server see a 100% failure.
    Benchmark cookie decryption time when selecting the crypto algorithm. How many hits per second you can get and how many you need.
    Guard your crypto keys like the crown jewels. Change them periodically and whenever someone in your company (especially IT department) gets the pink slip.

  • Accessing web application from users' PC

    Hi there,
    My server is up and running, appsets are working nicely and everything works perfectly. But I have an issue when accessing the web application from a user PC on the same domain, and I'm not sure if it's down to me or not.
    From the users' PC, with BPC for Excel open, I click on the link for BPC Web, and Internet Explorer opens and attempts to take me to the web app. But if the address contains the server name, it doesn't work. If I manually type the IP address in instead it works.
    Why is this? Have I forgotten to do something, or is it a DNS problem, or other local IT issue?
    I'm sure I've missed something really silly, but can't figure out what!
    Any ideas appreciated!
    Thanks a lot,
    Jason

    Hi Akim,
    I think this is actually part of a wider problem - I have been testing this on my local PC (over the clients' VPN) and now it works fine. But I just logged onto the clients PC using Webex and I can't get into ANYTHING! Not the Admin client, not BPC for Office, not the web application - nothing.
    I think I need to go there on monday and actually go through this with one of their network guys - I'm not convinced that it's a problem with the server anymore!
    Thanks for your help - I will keep you posted!
    Jason

  • SPSiteCollection.Add in WCF service for FBA web application throws "user not found"

    Hi,
    I use SharePoint 2010 SP2. Programmatically I can create a FBA-based web application and now I want to add a new site collection ("/") subsequently. Everything is done in a WCF web service with its own application pool and web
    application. In extracts my code looks like this:
    const uint cLID = 1031;
    const string cSiteWebTemplate = "BLANKINTERNETCONTAINER#0";
    const string cAdminName = "i:0#.f|user|username";
    const string cDisplayName = "username";
    const string cSiteAdminEmail = "[email protected]";
    SPWebApplication webApplication = SPWebApplication.Lookup(new Uri("https://www.someurl.com"));
    using (SPSite newSite = webApplication.Sites.Add("/", "some title", "some site collection comment", cLID, cSiteWebTemplate, cAdminName, cDisplayName, cSiteAdminEmail, null, null, null, false))
    I also have a Windows forms based application where the exactly same code (except the changes required for WCF services) runs smooth, no exceptions or errors.
    Now every time the webApplication.Sites.Add-method is called inside the WCF service by any client I get the following exception (it is in German, English
    translation in square brackets):
    Microsoft.SharePoint.SPException: Der Benutzer kann nicht gefunden werden. [user cannot be found]
      bei [at] Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName,
    String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName)
      bei Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin,
    String secondaryContactName, String secondaryContactEmail, Boolean useHostHeaderAsSiteName)
      bei Microsoft.SharePoint.Administration.SPSiteCollection.Add(String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName,
    String secondaryContactEmail, Boolean useHostHeaderAsSiteName)
    The process user is the same both for my Windows forms based application and my WCF service and I expect the code runs the same in both cases. I did not find any matching forum entry and I have no idea why a WCF service does not execute
    the same way as a Windows forms application. Additionally, before applying SP2, I used an ASMX service with a similar code snippet and it also worked fine.
    Can anyone please tell me why calling
    webApplication.Sites.Add-method by a WCF service does not work? Is there anything I can do to make it work properly?

    The creation of a new web application using SharePoint API works in WCF service. I also lined out that...
    SPWebApplication webApplication = SPWebApplication.Lookup(new Uri(https://www.someurl.com));
    ... works in WCF service. In return I really get the very web application that I requested. Also exactly the same code snippet is called by exactly the same user context both in WCF Service and Windows forms application. Only for Windows forms
    application it does not throw the exception but in WCF Service it does. I had some WCF Service specialist colleague looking through the code and web.config and he stated it looks ok (unfortunately he does not have any experience with SharePoint).
    If you state "It's not, then your WCF config is wrong" what do you think I need to add or change in web.config in order to make it work? BTW: I did not modify app.config in my Windows forms application, so I thought I do not need to modify my web.config.

  • Web Application Security - User authentication and registration

    I am trying to develop a very simple web app with following feature
    1. Users should be able to register (sign-up) with the application, i.e backed code will create new user account when new users sign up.
    2. Once the user account is created, they should be able to log in.
    I was reading Java Security section in Java EE tutorial. To use any of Java EE security, the recommended way is to have security-constraint in web.xml specifying roles that have access to application. The roles are then mapped to the users that are created in the application server. The problem here is that the users cannot be created at deployment time. Users are created at run-time as new people sign up using the registration form. So, how can user be created with the application server before deploying the application?
    It seems very odd to be that application users are defined at the app-server level. Eg, Ebay/Amazon has millions of users. Are all those users defined at the application server where their app is deployed?
    If JavaEE security cannot support this simple usecase, what is the point of having security-constraint and all the other security features?

    As per your comment you want to use J2EE/JAAS security for existing user and want sign in feature. You can do it by providing link on log in screen. Please create sign up page and unprotected resource in web.xml. Once user fill sign in details you can store his detail in your authorization repository ( LDAP / Database ) and then either redirect request to login page or submit to your authorization scheme directly.

  • How can I share user sessions?

    Hello,
    This is my scanario in my 9i Production release 2
    I've got one workspace with two projects, one containig a user logon jsp (with HttpSession Object) and another containig the rest of the jsp. When I test the application I run first the logon jsp, and after, I redirect it to another jsp which it's placed in the second project. I see then that the session dissapears. So How I have to name the projects, or the applications, or the context-root??
    Regards

    read the manual on context sharing of the servlet api (2.3). There you should find what you need. Prerequisit: both applications should remain on the same server, otherwise you should persist the sessions in a database or filesystem.
    Regards Marc

  • Previous Users Session Info.

    Hi
    Is there any way i can find out a user who connected to the database , total time he was logged in and when he disconnected .
    Thanks

    Hi,
    You have to do it as described in the below link.Sure it will help you.
    Basically What we have to do is to create a trigger for logon and logoff and Have a table like below
    create table
    stats$user_log
    user_id varchar2(30),
    session_id number(8),
    host varchar2(30),
    last_program varchar2(48),
    last_action varchar2(32),
    last_module varchar2(32),
    logon_day date,
    logon_time varchar2(10),
    logoff_day date,
    logoff_time varchar2(10),
    elapsed_minutes number(8)
    The below link will guide you in creating logon and logoff trigger.
    http://www.dba-oracle.com/art_builder_sec_audit.htm
    Hope this answered your question.Really a good question.
    Best regards,
    Rafi.
    http://rafioracledba.blogspot.com/

  • Session time out in a web application

    Hi,
    I am making a struts based web application. For session time out validation I have made an entry in the web.xml file as <session-config>
              <session-timeout>1</session-timeout>
         </session-config>
    In case the user's session time out occurs then he should be directed back to the log in page.
    Can any one tell me how to proceed in this case and what are the best practices.
    thanks

    Hi
    I've tested it with OC4J and it works both ways.
    I do think that you must have the
    <session-config> tag present though for the setMax... method to
    work, observe that this method is for seconds and not millisecond
    regards
    //Mike
    Hi all,
    I try to manage by my application the http session time-out.
    Change it in a web.xml works fine , but if in my servlet i try
    to change it using setMaxInactiveInterval(MILLISECOND) the result
    is that the session became invalidate after few seconds instead
    50 minutes ad example ....
    Answer ????
    thks
    Carlo Mossa

  • Workflow Manager & User Profile Service Application for Extranet Web application

    Hi,
    Recently i have setup HA WF Manager farm and associated it with Intranet web application (on-prem). Now i want to use the same farm for our extranet environment (on-prem) but extranet environment is not associated with UPA. Since user profile application
    is not available for extranet environment so workflow does not work.
    Now if I try to use existing UPA or create a new UPA for extranet environment, then i am exposing users data to all partner and collaborators. But for workflows to work it is necessary that users profile should be there in profile database.
    Is there any way that I can run workflows in extranet environment without exposing user profile data to partners/collaborators? Thanks.
    -Prashant

    Thanks for the reply Paul, but this does not solve the problem.
    Actually in MySite web application external users group is not at all added with any permissions but just to check your suggestion i have given permission to externals group with Deny Read permission. Now UPA is associated to the extranet web application
    and when i access user profile data using RESP API using a partner account I can still see the data. For e.g. I am using this URL
    https://extranet.abc.com/_api/SP.UserProfiles.PeopleManager/GetPropertiesFor(accountName=@v)?@v='abc\uname'
    When I hit this URL in browser using partner account, it shows the profile data of the account passed in the URL.
    MySite web application is https://mysite.abc.com and on this web application external users group is added under policy with Deny Read permissions. Thanks.
    -Prashant

  • Best way to have only one  instance of an object in web application.

    Hello,
    I defined a class that provides services to my web application: subscribes user, check if user already subscrubed etc. The objects don't need to save any session information. So it is like a Stateless Session Bean (from what I've read about Session beans).
    The webapp is small and I don't want to use EJBs.
    What would be the best way to have one instance of the above class in my webapp ?
    Would making the class static be a good method ? Using a factory ?
    Is there a way to put in web.xml something that asks the container to instantiate an object that is not a servlet and place it in Application scope, so that I cann retrieve it whenever required in my app ?
    Other suggestions ?
    Thank you,
    Vlad.

    Hi
    The best way to have only one instance is use the singleton pattern. The idea is : the class has a private
    contructor, a public static method that returns an instance of this object and a static member that is false if not any instance and true if there si an instance.
    To obtain one instance you can do some like
    MyObject ob=MyObject.getIntance();
    this method inspect the static member and returns null if true. If false set to true and return the object
    via the private constructor.
    You can lear more at book of Gramma .... (gang of four)
    Hope this helps

  • Web Applications questions

              Hi,
              I read through the Web Application documentation and I could not find answers to some questions, so I thought that someone on these forums might be able to help.
              1) Can two or more web applications share code? Or, in other words, can a web application use classes that do not belong to it? If yes, where should these classes reside?
              I tried sharing the code to get a database connection and the Class.forName("weblogic.jdbc.pool.Driver") instruction fails with the error ClassNotFoundException: weblogic/jdbc/pool/Driver.
              2) Can two web applications cooperate? Or, in other words, can one web application use services provided by another web application (like servlets, .jsp pages, images, etc.)?
              I tried linking to a servlet in a web application from another web application and got the error NoClassDefFoundError: javax/servlet/http/HttpServletRequest.
              3) If two web applications can cooperate, can they still cooperate if they reside on two different machines? Or even two different clusters?
              Thanks,
              Vladimir
              

              Alexander Petrushko <[email protected]> wrote:
              >vladimir wrote:
              >
              >> Hi,
              >>
              >> I read through the Web Application documentation and I could not find answers to some questions, so I thought that someone on these forums might be able to help.
              >>
              >> 1) Can two or more web applications share code? Or, in other words, can a web application use classes that do not belong to it? If yes, where should these classes reside?
              >
              >> I tried sharing the code to get a database connection and the Class.forName("weblogic.jdbc.pool.Driver") instruction fails with the error ClassNotFoundException: weblogic/jdbc/pool/Driver.
              >
              >Set your weblogic.class.path correctly and it will work. Look at the shell/bat scripts supplied with the server distribution.
              >
              >> 2) Can two web applications cooperate? Or, in other words, can one web application use services provided by another web application (like servlets, .jsp pages, images, etc.)?
              >
              >Yes, use RequestDispatcher and the correct path.
              >
              >> I tried linking to a servlet in a web application from another web application and got the error NoClassDefFoundError: javax/servlet/http/HttpServletRequest.
              >
              >That's a CLASSPATH/weblogic.class.path issue.
              >
              >> 3) If two web applications can cooperate, can they still cooperate if they reside on two different machines? Or even two different clusters?
              >
              >If webapps A and B are on different machines (VMs), your webapp A can use sendRedirect() to have the client go to webapp B or read B's output stream and proxy it back to the client. Look at
              >java.net.HttpURLConnection if you want to use the latter method. Your webapp A would be no different from the browser or any other HTTP client when talking to webapp B.
              >
              if you go from webapp A to webappB, how do you maintain session state (without saving it in a database) ?
              >Cheers,
              >
              >Alex
              >
              

  • Pdf forms and web applications

    Hi all,
    Can anyone help me regarding the feasibility of using PDF forms in web application such as simple html forms?
    As a part of the web application written in php, we have large html forms for collecting data.
    pdf reports must be generated based on data entered in forms.
    So, 1 filled in form = 1 pdf report. Generating large pdf files from scratch with php script is not fun, and I'd like to figure out if there is some way to use pdf forms created in Adobe LifeCycle as html forms.
    So, we would like to publish pdf forms created in LifeCycle as a part of web application, where users fill in this form and in some way we pass form data to php script (upon form submit) for saving it in database and load data back to pdf form once user decides to edit it.
    Once form is filled in completely we'd like to print it (and maybe save as separate pdf file containing all filled data).
    Please advice, is there any solution for doing something like this, or maybe some other suggestions about simple pdf generation & forms handling in case described above?
    Your input would be greatly appreciated.

    Yours is not a feature request. It is a question about the functionality of the Livecycle Designer product. Please repost in that forum.

  • Inactive status  - v$session  users list over WEB application

    Hi all
    When user connect through asp or asp.net, we create a connection in the session object. New sid gets created with each session.
    When user normally logs out the application, his sid gets finished in the v$session users list. But when he dees not logs out in the normal way as we can not force thousand of users over WEB to log out normally, what will happen to the v$session ?.
    1st - We wish to know to know that whether the list will run into thousands of inactive status users OR they automatically gets finished over time. We use the default profile as applicable to new user.
    2nd - If the list of inactive status users gets increased to thousands of users which can be possible for the WEB application , there must be some limit fixed by Oracle 8i/ 10g database OR there may be serious performance problems. This simultaneous connection of thousands of users over WEB is easily possible and when connection is created in session object , what could be the scenario. We avoid creating connection object in the application start event to improve performance for the given sesion.
    Any help is appreciated.
    Suresh bansal

    Thanks for prompt reply
    1st - Can u give some idea for create connection pools using asp.net environments. Further in the connection pool environment as to how much simultaneous running connections we should need to open and how.
    2nd - If we have pool of say 100 connections and there are more number of simultaneous WEB users, what will happen to the application as to whether it gets to hanging /waiting for the pool connection to be free or give error ?.
    Suresh Bansal

  • How to share a session across applications?

    Hi
    I am developing a web application. There will be two web applications (including mine) running in one servlet container. The user can navigate from one application to other and vice versa. We need to know how can we share a session across these applications. Any inputs in this regard will be helpful!

    You may be interested (& probably discouraged at the end) in this discussion http://forum.java.sun.com/thread.jspa?threadID=619170
    cheers,
    ram.

Maybe you are looking for