I'm developing a web portal that loads other web applications running on different J2ee application servers (JBoss and Glassfish, etc).
All application servers including the one the web portal resides on have their own form based JAAS authentication enabled but they all share the same users database.
I've managed to make this work, but wonder if it's possible to have something as follows: 1. to have only the application server where the portal runs to have form based JAAS authentication enabled. 2. every external web application needs to have a filter that authenticates all incoming requests. 3. every iframe holding an external web application needs to "clone" the state of the iframe that logs into the portal application server, so its requests to its own application server will have the "state" that can be authenticated by the portal application server. 4. the aforementioned filter will authenticate incoming requests by taking the "state" out of them and checking its validity against the portal application server.
I'm quite new to the whole concept of JAAS based container authentication, so not sure if terms like "clone" and "state" make any sense here. But hope the above clarifies what I need to achieve.