Sharing security between two web apps

[rockytriton]

I need to be able to have two web apps share a login. I can have them on the same server if that is necessary. I've tried using the remember-me feature but that didn't work. Basically I have two war files deployed and am trying to get spring to share a login between two html files:

http://localhost/myapp-1/a.html
and
http://localhost/myapp-2/b.html

Both of my security context settings are setup like so (the only difference being the .html filename in the pattern):

Code:

<sec:global-method-security
		pre-post-annotations="enabled">
	</sec:global-method-security>

	<sec:http use-expressions="true">
		<sec:intercept-url pattern="/a.html" access="hasRole('ROLE_USER')"/>
		<sec:intercept-url pattern="/**" access="permitAll"/>
		
		<sec:form-login />
		<sec:logout />
		<sec:remember-me key="myKey"/>
	</sec:http>

	<sec:authentication-manager>
		<sec:authentication-provider>
			<sec:jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT USERNAME,PASSWORD,ENABLED FROM USERS WHERE USERNAME = ?"/>
		</sec:authentication-provider>
	</sec:authentication-manager>

both of these configurations work perfectly fine individually, I was just hoping that when I login to one, it would recognize the same login on the other. Is this even possible? Is there a better way to do this?

[thobson]

What you are asking for is single sign on (and possible single logout also). There are several options:

1) If you have two web apps on the same tomcat server you could use Tomcat's container managed single sign on (and Spring's pre-authentication mechanism)
2) You could deploy something like CAS which is relatively simple (single logout can be a bit tricky though)
3) You could use a SAML based platform like our Cloudseal service which benefits from a nice Spring namespace and zero installation. This is a commercial service but it's free for up to 50 users. Other SAML products include OpenAM and JOSSO