I have a Glassfish 4.1 server running a custom Realm to authenticate via database and if that fails, via LDAP. This authentication works. I have 2 applications running next to each other. SSO is enabled and works. Default principle to role mapping is enabled for the database users. Each application has it's own roles.
administration-ear has a role declared AdminUsers. Users in database get the group assigned in database, so no mapping is needed. LDAP users have a mapping in glassfish-web.xml:
<security-role-mapping>
<role-name>AdminUsers</role-name>
<group-name>Administrators</group-name>
</security-role-mapping>
users-ear has a role declared Users. Users in database get the group assigned via the database just like main-ear, and LDAP users have this mapping in glassfish-web.xml:
<security-role-mapping>
<role-name>NormalUsers</role-name>
<group-name>Users</group-name>
</security-role-mapping>
Each page in both application includes a topmenu. That topmenu gets all the groups, and according to that shows menubuttons. At the moment there are 2 buttons: "UserProfile" and "View Users". To access "UserProfile" you need the role "NormalUsers", and to access "View Users" you need the role "AdminUsers".
When I log in with my LDAP account, I'm assigned the roles "AdminUsers" and "NormalUsers". But when my browser is on a page that is inside the administration-ear I only see the "View Users" button, and when my browser is on a page in the users-ear, I only see the "UserProfile" button. So my application is not aware of the roles in another application.
The reason why there are 2 applications deployed, is because we want to update each application individually, without needing to redeploy/build the other applications.
So is there a way that I can access the roles declared in other applications deployed on the same virtual server?
I've handled it with cookies for now. This is not the best solution, but it is a solution.