Hi. I'm using JBoss 4.2.1.GA to serve a web application that provides online help for another web application. I won't go into the reasons for separating these two applications but that's important to us. My requirement is that only users of the main web application may access the online help web application.

So one option we are exploring is to add functionality to the online help web app so that it can detect and validate a token from the main web app for every HTTP request.

Before we go too far down that road, I want to understand whether there's JBoss functionality that could secure an application in this way. Googling shows me that JBoss, authentication, tokens, and security are often discussed. Not quite enough to guide me to a clear answer, though.

Can anyone point me toward a particular configuration technique or server function that might be used in this way? Or let me know that it's not likely to be in JBoss? The function does not have to be in v4.2.1.GA. I'll be happy to research the details myself.

Thanks for your help.

Peter