Just a late followup to this thread. I succeeded in creating a "poor man's SSO" where several webapps running in the same karaf instance behind an nginx reverse proxy, and share the same realm and session https://github.com/steinarb/authservice/
The authservice also offers cookie-based authentication to the nginx server itself. The cookie path issue mentioned in a different thread is taken care of by having the nginx reverse proxy rewrite the cookie path to be /. The different apps get the "SSO" by using OSGi service injections of the Realm and SessionDAO interfaces into DS components providing filter services that plug into the web whiteboard, and by authservice having DS components providing the Realm and SessionDAO services. An example of a web whiteboard filter DS component receiving service injections: https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/java/no/priv/bang/ukelonn/web/security/UkelonnShiroFilter.java#L41 The DS component providing a Realm service https://github.com/steinarb/authservice/blob/master/authservice.web.security.dbrealm/src/main/java/no/priv/bang/authservice/web/security/dbrealm/AuthserviceDbRealm.java#L25 The DS component providing a SessionDAO service: https://github.com/steinarb/authservice/blob/master/authservice.web.security.memorysession/src/main/java/no/priv/bang/authservice/web/security/memorysession/MemorySession.java#L23
