Authorize on two or more web applications simultaneously

[Lsync]

Marten, thank you for help anyway.

[Lsync]

I came up with a solution.

Full sample project is here.

I've decided not to use remember-me and not to intrude to SSO workflow (like CAS tickets storing). It works like this:
1. While user browses non-protected applications pages, there is no CAS requests at all, doesn't matter if such user is authenticated or not at the moment.
2. When user authenticates by any application, this application sets domain-wide "Authenticated=true" cookie.
3. When any other application sees this cookie, it starts standard authentication process, does not matter if a protected or unprotecred page is requested.

To let this approach work just two classes needed: GroupAuthenticationFilter to set the cookie when needed, and GroupAuthLogoutHandler to delete this cookie when user logs out. Both are quite simple.

No security risks, no EARs needed, and it should work with any authenticators, both internal and external types. Now (at last!) I can render user name on any site page, and make a group authentication.

Not the best possible solution, but I hope this help to someone else. Feedbacks are very welcome.

[Lsync]

Yet another solution, if anyone is interested.

We can proxy all requests thru any of applications on the same server. This approach gives us a full-fledged shared sessions, not a simultaneous authentication/authorization only.

A working example is here.

Warning! Shared sessions can be potentially dangerous.