SSO is simple, really - as long as every app uses the same authentication token (or course, getting agreement on the token is the hard part
What type of token does your custom login module create? I assume a homegrown userid+expiryDate+XYZ, all encrypted via JCE? If so, you will need to change the other J2EE app to extract the user id from your token (in web land, from the cookie - cookies will work if both apps use the same domain). Of course, you probably don't have the source code for this other app, or are not allowed to change it.
If the other app is using the container's auth mechanism (i.e. WebSphere uses LTPA, not sure what Oracle uses), then you will need to follow suit. Perhaps oracle has a public API for generating tokens that your login module can call? If they are like IBM, it is private and you can't use it.
I am in a similar situation. I want to write my own auth manager, but I am afraid about integration with other apps. I want to call IBM's code to create the LTPA, but the &&@$%@'s have a private impl (man, I need JBoss!). So, I am left calling the j_security_check servlet programmatically. What a bloody hack.
Hope this helps. Let me know...
Originally posted by Wes Hughes:
We are using JAAS and a custom login module to authenticate users to our J2EE app. We are now required to share authentication with another J2EE app running on the same server (i.e. a user can go back and forth without having to re-authenticate). Is this even possible? We're running on Oracle 9iAS, which does support SSO but this not really the approach that we are looking for (but may have to consider).