Using Tomcat to implement a Weblogic like SSO authentication

[Jose Alberto Fernandez <ja...@cellectivity.com>]

Hi, I am trying to evaluate migrating our application from Weblogic to a

Tomcat/JBoss environment. One of the main roadblocks at the moment is
our 
reliance on the way SSO is done in weblogic.

In weblogic, even within the same virtual host, you can specify
different SSO 
domains by defining diferent names for the sessionID parameter. All
webapps 
sharing the same sessionID name will share the same user authentication 
information. This is independent of whether the sessionID is passed as a

coockie or as a parameter of the request. So given the following URLs:

   /app1/main.html;dom1Id=sdjhfaksjdhfa
   /app2/other.html;dom1Id=sdjhfaksjdhfa
   /app3/another.html;dom2Id=sdjhfaksjdhfa

In this case going from /app1 to /app2 will not require authentication
because the they use the same SSO information. But going to /app3 will
cause a login since the domain is different. Moreover, this needs to
work 
without cookies. We have to shitch-off the use of cookies due to
problems in the session cookie handle by some Browsers.

Is such a configuration possible in Tomcat? Or, if not, does the Tomcat
API 
provide what is needed so one can EASILY build such an authentication
module?

Any additional suggestions? I have looked and looked around for answers
on 
this regard but found nothing.

Thanks in advance,

Jose