Hi.

We're having an interesting problem:

We have an application with a primary client that is a Java WebStart application. The JWS client uses business logic published by SLSB's in a JBoss 4.0.2 server.

The JWS client uses JAAS (ClientLoginModule) to authenticate itself with the EJB-tier.

A small portion of the application has been rewritten as a web-application configured with form-based authentication. The webapp uses the same EJB's as the JWS client.

To access the web-application a browser is launched from the JWS (using standard Java WebStart API) to the URL of the web-application. At this point the user must authenticate himself with the web-application (using the login-form).

Our users are getting tired of having to log in to the JWS application, and then re-authenticate themself every time they access the web-application.

I'm trying to solve this issue - but I'm not sure what the best way to do this is... Currently I'm thinking of creating a "one-time" authentication token (register it in the database) from the JWS client just before the browser is launched. The URL would contain this token (and userID) and a servlet would verify that the token matches (and then remove the token from the DB).

The servlet would then *somehow* notify Tomcat and JBoss that the user is authenticated and then redirect to the "real" page. Hopefully this would stop the login-form from being shown as the user would already be logged in.

I've been battling the Tomcat API's to see how/if this can be done, but so far no success.

Is there a recommended way to "override" the configured form-based login and make sure that the user gets authenticated using some other kind of custom authentication (such as an authentication token)? Note that the web-application must still be accessible without starting it from the JWS client.

Any comments/ideas are welcomed!

//Anders