Hello,

I am developing an application, which consists of two separate WAR modules. One is a pure html5 web app and the second one is rest API. I want the API to be completely stateless and protect it with token based authentication.

The problem is, that i want to use two separate identity stores in one application: JPAIdentityStore for the initial Basic auth scheme, and then after issuing the token, I want to use TokenIdentityStore, therefore I do not want Picketlink to make any database requests when the request is authenticated with Token (as it contains all what I need: subject, roles, groups and even permission I had implemented).

For now, I have two separate WAR modules for the API (with the html5 web app this is 3 for the whole application). One is the Identity provider module, which has configured the JPAIdentityStore and second one is the API module, which has only TokenIdentityStore configured. This configuration is necessary because however I tried I was not able to tell Picketlink to use only TokenIdentityStore when dealing with token authenticated request.

So the question is: "Has anybody successfully implemented such authentication/authorization scheme where the token is completely self contained without using two separate WAR modules ?"

Best regards,

Matus Zamborsky