By default SPNEGO authentication should be http sessoin scoped. Is sharing http session between wars in ear option for you?
Thanks for replay.
I will try this one, but i have my doubts whether this solution is correct:
1) i'm not sure if session sharing is possible for wars operating on different security domains?
2) I do not need to share state of all session attributes. Admittedly SPNEGO should be session scoped, and Principal should be stored in session, but this is not my purpose.
I need to pass to second war information about logged in user and his roles, that's all. So SSO solution seems to be appropriate.
After succes spnego authorization, JAASIdentityManagerImpl.verifyCredential is called. As a parameter AccountImpl is passed.
Spnego sets logged user as principal in AccountImpl attribute but JAASIdentityManagerImpl is using Account.getOriginalPrincipal() to check if principal is valid by second war security domain.
The problem is that originalPrincipal points to unique number which identifies user before any authorization. For that reason second login module has no chance to verify correctness of that a user.