Oh and by the way...The servlet spec says what I am asking is actually not legal...
SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level.
The underlying mechanism, such as the cookie used to establish the session, can be
the same for different contexts, but the object referenced, including the attributes in
that object, must never be shared between contexts by the container.
To illustrate this requirement with an example: if a servlet uses the Request-
Dispatcher to call a servlet in another web application, any sessions created for
and visible to the callee servlet must be different from those visible to the calling
I assume JBoss/Tomcat's mod will help me get around this limitation.