I'm using JBoss 6.1 on a single machine and deploying web apps (wars), each with their own security domain. I am attempting to persist sessions and logins across war deployments. I have managed to have sessions persisted by ensuring that the serialised session is stored outside of the work subfolder that JBoss seems to like to delete (i.e. by adding <Manager pathname="../../abc.ser" /> in the context.xml in the war WEB-INF), however, the redeployment of a war, which has its own security domain set in jboss-web.xml, seems to cause authentication caches to be flushed and forces users to log in again after deployment, despite the session state getting reloaded.
The best idea I have for keeping users logged in, at the moment, is to repackage the .wars into .ears and to set the security domain at the .ear level. Then touching the wars web.xml -- I presume -- would trigger a restart of the war and not the ear, hence not triggering a 'restart' of the security domain.
My question is, is my above solution of repackaging the wars into ears the best way to go, or is there a more straight forward way of keeping users logged in across deployments? (I also thought about pursuing an SSO angle given that each web app is on a different context root...)