If you have written your own login manage I cannot help you. Too much would depend on how you designed it. And, for the record, user-designed login managers have a near-100% record of being insecure, whether SSO or no.
If you are using the J2EE standard container-managed security sytem, logins are handled by the web application server, not by the web application. In that case, incoming URLs are scanned against the security patterns defined in the webapp's web.xml file, and if there's a match requiring a logged-in user, the seccurity manager steps in.
The first thing that the security manager does is determine whether the user is already logged in. If so, then it proceeds to check the user's assigned security roles against the roles allowed to make that URL request. Otherwise, the original URL request is placed on hold and the container displays the login page, accepts input from it, and validates the user's credentials. If they fail, the loginfail page is displayed. Otherwise the original URL request is pulled off hold, the security roles are checked, and - if the roles are acceptable - the request gets passed to the application for it to process.
There's really no difference between SSO and non-SSO security using the container security system other than that the container is configured to use an SSO security provider, such as CAS.
Bjoke: A "Bully Joke". A Statement or action made with malicious intent - unless challenged. At which point it magically transforms into "I was just funnin'" or "What's the matter, can't take a joke?"
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop