Chapter 17. ROP Deployment

Table of Contents

Deploying ROP Server
Deploying ROP Client
Security

Deploying ROP Server

Note

Recent versions of Tomcat and Jetty containers (e.g. Tomcat 6 and 7, Jetty 8) contain code addressing a security concern related to "session fixation problem" by resetting the existing session ID of any request that requires BASIC authentcaition. If ROP service is protected with declarative security (see the ROP tutorial and the following chapters on security), this feature prevents the ROP client from attaching to its session, resulting in MissingSessionExceptions. To solve that you will need to either switch to an alternative security mechanism, or disable "session fixation problem" protections of the container. E.g. the later can be achieved in Tomcat 7 by adding the following context.xml file to the webapp's META-INF/ directory:

<Context>
    <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
            changeSessionIdOnAuthentication="false" />
</Context>

(The <Valve> tag can also be placed within the <Context> in any other locations used by Tomcat to load context configurations)

Deploying ROP Client

Security