sharing session in web applications

Question

I am developing A Web Application using JSP & Servlets (Container: Tomcat7 , Database: Oracle10 )

I have developed some web applications like Profile , Reports , Leads . Then I have developed A Login application. In this application I am storing USERID in Session with some more session attributes.

After user logs in he will be shown menu which contains links to other Applications like links to Profile Application.

So when I access Session after user log in:

• If I try to access session withing the same application(Login) then I get session with all the required attributes
• But when I try to access session from other applications like Profiles then I get session as null

code snippet to check session (Servlet Filter in Login web application)

HttpSession session = request.getSession(false);
if(session==null)
{
    System.out.println("Session does not exist... Redirected to LOGIN Page.");
    response.sendRedirect("/ApplicationName/Login.jsp");
}

I am accessing session in Profile application to check whether user is logged in or not.

Then I have searched, and I have found that Session can't be accessed from other applications for security reasons.(I have also found that it can be done by setting crossContext="true" )

Then I have found other option like making EAR of all applications and then deploy it, but unfortunately EAR it is not supported by Tomcat7 .

I am new to web environment, so if anyone has worked on this before then please let me know what can be the options?

Thanks in advance

Update1

Now I have decided to use EAR , in which I will pack all WAR files and then I will try to share session between them. since Tomcat doesn't support EAR I have installed Oracle Glassfish , Then I have created Enterprise Application Project which contains two Applications 1. Login and 2. Profiles , and then created EAR file, and deployed it on Glassfish . So I want to share session between those two applications(on Glassfish), so if anybody has any idea about it then please let me know. (link to any tutorial will also be appreciated)

Answer 1

As pointed above, the requirement you talking about is Single Sign On (SSO). The simplest SSO that you can implement is the following:

1. After the successful authentication add the cookie with the encrypted user name (you do not need to encrypt a password)
2. If you access any of your application with the user name cookie and success to decrypt it, it means that a user was authenticated and you should not show the login page.

Use AES-256 for the encryption.

Answer 2

The way I have seen this done in my shop is to stuff the login credentials into an encrypted cookie and install agents (java filters, web servers mods etc, in front of the applications that need the user data) that will decrypt the cookies and pass along the data to the downstream applications. Do not store login information in HTTP session if you want to share it across applications.