Single Signon and (vs?) Webapp Realms

We've been looking at a Single Signon solution for our corporate webapps and portlets. Probably something like Yale's CAS system. We'd be authenticating and authorizing against Microsoft's Active Directory. Authentication appears to be no problem, but I'm unclear about authorization.

There are 2 ways to configure roles in Tomcat. You can create a global realm for all the webapps in the server, or you can create a separate realm for each webapp (I'll ignore the various hybrid options to keep the discussion simple).

I don't really want a global realm, as it requires me to set up a "one size fits all" role mapper for all apps. I could live with that, but searching such a broad base just to get a handful of roles for a specific webapp context - also returning about 20 times as many roles that have no meaning for that webapp seems like too much overhead.

So the question is: Is there a way using a SSO solution to define authorizations on a per-webapp basis? Specifically for Tomcat, but also in general?

The web.xml file in a web app is the place to define role mappings between roles and URLs to protect. See the <security-constraint> tag.

Francis

No, the question is, "Can I narrow the list of roles that tomcat is going to read in to a per-app basis and still have single signon?"

The problem comes firstly from tomcat's reading in EVERY eligible role from its domain definition, even if the role doesn't appear in any app's web.xml.

Secondarily (and more importantly), I'd really rather be able to load the roles for a given webapp on-demand - meaning when the first reference to a given app is made - instead of taking a massive hit loading ALL the roles for ALL the apps the first time the user validates to Tomcat. Aside from really slowing down the initial authentication, it's a waste of memory resources to hold items that aren't being referenced.