I have two applications each with their own context root and each has their own JAAS security domain. I have a set of users with the same logon credentials for both security domains but with differing roles for each domain.

I have enabled SSO by uncommenting the valve
org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn
in deploy/jbossweb-tomcat50.sar/server.xml.

I have also disabled caching of security credentials by setting to zero
the DefaultCacheTimeout and DefaultCacheResolution attributes of the JAAS security manager and realm mapping mbean in conf/jboss-service.xml

I would expect the resultant behaviour to be that a user is asked to sign on once but roles would be determined for every access.
However it appears that roles are determined at the point of sign on and not for every access.

Am I missing something here? Dependant upon which resource the user attempts to access first their roles are set for the domain that the resource exists in. If they stay within that domain then everything is fine as they will only have access as their roles permit. If however they attempt to access a susequent domain where they have less roles then they can access resources that they shouldn't be able to.

Is it possible (using declarative security) to have a user authenticate once across multiple applications (within a cluster) but to have authorization determined for every access?