Hello everyone! I'm not experienced in security questions, I hope my question makes sence.

We have a very old and fat product, which I may call a legacy application (for example, it still uses EJB 2 persistence extensively). It uses custom form authentication (it calls HttpServletRequest.login behind the scenes) and uses a custom login module. The application is ported to JBAS 7 and currently runs on custom-built 7.1.2.Final version with some fixes merged. It is planned to switch to 7.1.3.Final as it includes the necessary fixes, and to 7.2.x when it is released.

Now I develop a new module for the product. As it is a completely new module, I want to use the newest technologies available on JBAS 7: I use GWT on client side and REST/EJB 3.1/JPA 2 on server side. It is packaged as a separate WAR because I really don't want to merge the code with the existing WAR, because the old WAR is messy enough on its own, and it still uses old deployment descriptors which I don't want to touch.

Is it possible to share the security context of the 2 WARs somehow? I think security context is associated with the session when HttpServletRequest.login is called. When I open a link from the old WAR, security principal is correctly restored and EJBContext.getCallerPrincipal returns the user logged in. But when I open a link from the new WAR (REST service), the caller principal is anonymous, probably because session is not shared between the two WARs. Both WARs and EAR use the same security domain configured in jboss-web.xml and jboss-app.xml. The new WAR is deployed to the subcontext of the old one (for example, if old WAR context root is /old-war, then the new WAR context root is /old-war/new-war), so the browser sends the same SESSIONID for both of WARs.

Is there some configuration trick to share the security context? Or may be there is a different solution for this problem?

Regards,

htfv (Aliaksei Lahachou)