I saw the following trick used once in another forum post. This only works if the set of apps have a common "home page" that people should see after they log on.
1) Use either the Tomcat SingleSignOn valve or JBoss's ClusteredSingleSignOn.
2) In one war, the "main war", have your logon form, plus the home page, e.g. index.jsp. This war is configured normally for FORM authentication in web.xml.
3) In the other wars, apply security constraints to the pages, but don't include a login-config element in web.xml. Instead, include an error-page element that directs tomcat to use a special page "redirect.jsp" for 403 errors.
4) That "redirect.jsp" page is very simple - has no output, just issues a browser redirect to the index.jsp in "main.war".
If a user tries to access any war except the main one without logging in, Tomcat will issue a 403. This triggers the redirect.jsp, which redirects the user to /main/index.jsp. There they hit the normal FORM authentication. Once they authenticate, they see index.jsp. After that the credentials cached with SSO allow them to access the other apps.
Thanks for the reply,
I could imagine us having a home page with all the links to the separate webapps. But then again we have to update that page for every new deployment. We develop in a 24 * 7 environment so I can't interfere with live applications. The troubles to put a login screen in every application is less than this I'm afraid.
What about josso can that project solve this problem for me? Or this there anything more structural in the making. Talking about use cases I think this one is very basic in terms of single sign on.