I just lookup the servlet spec....It looks like this isn't working with tomcat..? Anyone know how can I share the users principal in different web application in the same security domain without re-authenticate again?
SRV.12.6 Server Tracking of Authentication Information As the underlying security identities (such as users and groups) to which roles are mapped in a runtime environment are environment specific rather than application specific, it is desirable to: 1. Make login mechanisms and policies a property of the environment the web application is deployed in. 2. Be able to use the same authentication information to represent a principal to all applications deployed in the same container, and 3. Require re-authentication of users only when a security policy domain boundary has been crossed. Therefore, a servlet container is required to track authentication information at the container level (rather than at the web application level). This allows users authenticated for one web application to access other resources managed by the container permitted to the same security identity. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3873108#3873108 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3873108 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user