Many people are asking how to share the LoginContext between Tomcat & JBoss when running in separate JVMs

Scott Stark answered the question of how to login from a servlet in another JVM (org.jboss.test.web.servlets.ClientLoginServlet).
David Good answered how to implement a single sign on (((Pipeline)catalinaHost).addValve(new SingleSignOn());)

However, what has not been answered is how to apply a LoginContext to an individual HttpSession, and how to share the same LoginContext between the servlet container (and JBoss) when Tomcat runs in a Virtual Machine outside of the Virtual Machine in which JBoss runs.


Related Links
http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ Repeat of a previous post
-----------------------------------------------


Environment:
JVM1: Tomcat 3.2 (Netbeans 3.3.2)
JVM2: JBoss 2.4.4

Following the design of org.jboss.test.web.servlets.ClientLoginServlet, I have 3 servlets

1. Login: Calls LoginContext.login() and places the LoginContext in the session. Invokes secured method on EJB.
2. Logout: Gets the LoginContext out of the session, calls LoginContext.logout(), and removes LoginContext from session.
3. Invoke: Invokes a secured method on an EJB.

This part works normally:
Cannot (successfully) call Invoke, until Login is called.
Cannot (successfully) call Invoke, after Logout is called.

However, if I call Login from one session (e.g. jsessionid..), I can call Invoke from another session!

Also (this is being requested in other posts as well), after calling Login, the servlet container does not consider me logged in for access to any restricted URLs (e.g. <security-constraint>'s in web.xml).

Scott, can you direct me to the code in the JBoss-Tomcat bundle that handles associating the servlet container LoginContext and the ejb container LoginContext and discuss any modifications that would need to occur in this multiple-JVM environment?

Thanks.