Sessions which span webapps?

[ma...@smartmonsters.com]

Folks:

I'm having a problem which I would think would be fairly common.  I would 
like to use the ServletContext/webapp architecture to break a richly 
functional Web site into multiple "applications" maintained by multiple 
development groups.  But at the same time I want to enable "single 
sign-in" for users of the site.  That is, a user should be able to 
authenticate once, and all of the appropriate permissions, state, 
preferences and so on for that user should be cached for fast lookup as 
that user navigates throughout the site.  In the pre-Tomcat world I used 
to stash that info in the user's Session object, which is clean and sweet. 
 Under Tomcat, though, Session objects are specific to a particular 
ServletContext/webapp, so that as the user navigates from one context to 
another, a different Session object is assigned for each context.

Well -- I suppose it would be possible to work around this behavior.  For 
instance, you could create a global cache by putting a Singleton wrapper 
around a Hashtable, then deposit a User object or something like that into 
the global cache keyed by userID.  The User object would have all the 
permissions, state and preferences info which used to go into the Session. 
 But this will turn out to be a lot of work in practice because you'll 
want to manage that cache to remove User objects when people leave the 
site, and etc. etc.  In other words you'll have to recreate much of the 
functionality you get for free from the Session system.

Some app servers allow "global" Sessions which span webapps.   I'm told 
that WebSphere is one.  Is there a way to configure a "global" Session 
like this in Tomcat?  Or is there a simple work around which allows us to 
leverage the functionality already built into the Session system?  How do 
the rest of you deal with this issue?

Thanks!

--Mark