since you can't share http session state between webapps, you should use an EJB (entity bean) that can be accessed from both, and you can use a browser cookie (provided both webapps are in same dns domain) to determine if they are logged on, (and if that special, encrypted cookie exists, then you fetch the ejb from either app)

-jp

You are plain wrong. The servlet 2.3 and j2ee 1.3 specs states that a web container should provide for single sign-on between multiple WARs that use form based authentication. Security contexts have nothing to do with session contexts.

if you use jboss-tomcat, you have to change the tomcat-service*.xml to configure a Valve that enables single signon. There's a bug report filled on this (looks like only when Tomcat is inside jboss) so I guess it won't work but it should.

If you use jetty, you are in bad luck. Jetty won't follow the specs on this respect, but the jetty developers already acknowledged the problem and are working on this.

So it should work but it looks like it won't work now.

sorry, i misspoke. i assumed that he also wanted to share session state. thats usually the next thing people ask for after auth.

-j

"flozano" wrote:
You are plain wrong. The servlet 2.3 and j2ee 1.3 specs states that a web container should provide for single sign-on between multiple WARs that use form based authentication. Security contexts have nothing to do with session contexts.

if you use jboss-tomcat, you have to change the tomcat-service*.xml to configure a Valve that enables single signon. There's a bug report filled on this (looks like only when Tomcat is inside jboss) so I guess it won't work but it should.

If you use jetty, you are in bad luck. Jetty won't follow the specs on this respect, but the jetty developers already acknowledged the problem and are working on this.

So it should work but it looks like it won't work now.