cayenne-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aadamc...@apache.org
Subject svn commit: r1384997 - /cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
Date Sat, 15 Sep 2012 02:05:21 GMT
Author: aadamchik
Date: Sat Sep 15 02:05:20 2012
New Revision: 1384997

URL: http://svn.apache.org/viewvc?rev=1384997&view=rev
Log:
CAY-1739 Cayenne ROP server resets session on every request if BASIC auth is
used

docs

(cherry picked from commit f837c847118f4a9185c21c7c47d1143fcd6eb9c6)

Modified:
    cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml

Modified: cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
URL: http://svn.apache.org/viewvc/cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml?rev=1384997&r1=1384996&r2=1384997&view=diff
==============================================================================
--- cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
(original)
+++ cayenne/main/branches/STABLE-3.1/docs/docbook/cayenne-guide/src/docbkx/rop-deployment.xml
Sat Sep 15 02:05:20 2012
@@ -4,6 +4,21 @@
 	<title>ROP Deployment</title>
 	<section xml:id="deploying-rop-server">
 		<title>Deploying ROP Server</title>
+		<para>Recent versions of Tomcat and Jetty containers (e.g. Tomcat 6 and 7, Jetty
8) are
+			addressing a security concern related to "session fixation problem" by resetting the
+			existing session ID of any request that requires BASIC authentcaition. If ROP service
is
+			protected with declarative security (see the the ROP tutorial and the following chapters
+			on security), this feature prevents the ROP client from attaching to its session,
+			resulting in MissingSessionExceptions. To solve that you will need to either switch to
+			an alternative security mechanism, or disable "session fixation problem" protections of
+			the container. E.g. the later can be achieved in Tomcat 7 by adding the following
+				<emphasis>context.cml</emphasis> file to the webapp's META-INF/ directory:
+			<programlisting>&lt;Context>
+	&lt;Valve className="org.apache.catalina.authenticator.BasicAuthenticator" 
+			changeSessionIdOnAuthentication="false" />
+&lt;/Context></programlisting>(The
+			&lt;Valve> tag can also be placed within the &lt;Context> in any other locations
used by
+			Tomcat to load context configurations)</para>
 	</section>
 	<section xml:id="deploying-rop-client">
 		<title>Deploying ROP Client</title>



Mime
View raw message