Santiago Gala <sgala <at> apache.org> writes: > > Re: your authentication&authorization problem, the session and the > request are shared if the servlet and the portlet are in the same > webapp, so you have basically all you need. >
Unfortunately, this does not seem to be the case. At least with Jetspeed2 anyway. Essentially, I believe that when you access a portlet of webapp X through jetspeed's webapp Y, then you are somehow kept in the scope of Y's class loader. When you by-pass the portal and access a servlet/JSP URI of webapp X directly, your session from webapp Y is not available. I'll have to do some tests to verify this for sure, but so far, that seems to be how it works for jetspeed at least. However, the light at the end of the tunnel is using tomcat's SSO mechanism to establish a container level session that will share your security principal and roles. I just have to figure out how to get that working with jetspeeds security setup. You still would not have access to session scoped objects created though, but that's not such a big deal as you could reload them in webapp X. Note that it is always the case in tomcat, even with SSO, that session scoped attributes in context A are not available to context B (as it should be).
