I'm going to develop a WAR application that has to provide generic authentication services (e.g. logon, password check, logoff) to other WAR applications.
The application will output a signon html page (user, password...) and, if the user inserts a good password, the application will instantiate a java object containing all the user stuff necessary to the other applications (e.g. user's permissions, user's settings and so on).
MY QUESTION IS: it is possible to share among two (or more) different web applications (in different contexts in the same web container) the same object?
The answer depends on which servlet container you're using. For example, in Tomcat 4.0, you can set the crossContext attribute of Context in your server.xml file to true. This will allow servlets running under other contexts to get the ServletContext object for this context. However, I don't know of any way to do this under WebLogic 5.1.0. If your servlet container supports sharing of ServletContexts, then you can store your java object in the shared context. Servlets wanting to get this object would just have to do something like getServletContext().getContext("<URL of authentication servlet">).getAttribute("<key for java object>").
According the JavaDocs for ServletContext.getContext(String), "In a security conscious environment, the servlet container may return null for a given URL." So this method of sharing contexts is supported by the spec, but may not be implemented by the vendor. BEA recommends using an external shared resource like a database to do what you want to do.
and thank you for your answer to my question.
The JavaDocs for ServletContext.getContext(String) that you have mentioned in your post, say that "In a security conscious environment, the servlet container may return null for a given URL."
Are you sure that this means that this functionality could not be implemented by some vendors? If true, this could be a problem for me...
IMHO this could mean that verdor_A's servlet container could allow the CONFIGURATION of the inter-context communications;
if you set "/secret" context as a secret context -> getContext("/secret") returns null;
while for the other contexts, as default: getContext("/public") returns public context
What do you think about it?
Certainly, the statement is open to interpretation. I think that your interpretation is very similar to what I said in my previous post. Most servlet containers that I've seen allow you configure whether or not a particular servlet context is shareable. However, I have not seen a way to do this with BEA's WebLogic 5.1.0. It is possible that a vendor decides that their entire servlet container product is "a security conscious environment" and never allow servlet contexts to be shareable. Thus, ServletContext.getContext(...) will return for any URL.
The specs don't force a vendor to make servlet context sharing a configurable option. The API happens to provide a mechanism to access shared contexts. Whether you want to rely on this behaviour depends on you and your organization. If you want to be totally portable to any spec-compliant servlet container, then I would think you shouldn't rely on being able to share servlet contexts. If you know that you will not be changing containers often, or if you make shareable contexts part of your requirements for you servlet container, then go ahead and use it.