Combining custom application authentication with JAVA EE security. Possible?

Question

Current setup:

1. We have two web apps (App1 and App2).
2. App1 doesn't make use of any authentication since it is purely informational.
3. App2 uses an API for authentication (API connects to a server somewhere to authenticate user)
4. Application Server used: Websphere 8

Problem:

1. Need to implement SSO for App1 and App2. I understand that to be able to implement SSO in Websphere, applications must use Java EE security for authentication. Is it still possible to implement this for app2 when it has its own custom authentication process? in order to implement SSO for both Apps

Thanks,

Answer 1

let's make it clear a bit. You say that App1 is not secured at all and App2 is secured by some custom authentication process. Right?

Well then for App2 -> App1 redirection you don't need any SSO since App1 is not secured. And for App1 -> App2 redirection any SSO cannot be implemented, since App1 has no security context to pass.

If App1 was secured as well (by whatever means, HttpAuth basic for instance - can be completely different authentication method, than App2 uses), AND both apps are running on IBM environment (WAS for instance), LTPA SSO is used:

1. a user accesses App1 and is authenticated by HttpAuth Basic for instance.
2. WebSphere creates a LTPA (SSO) token for him and this token is passed along with all the subsequent requests - the user is authenticated just once / LTPA session.
3. if the same user then accesses app2 running on WAS as well, and if there's a LTPA trust between the WAS servers (automatically within a cell, manually by creating a cross-cell trust) and if the user belongs to the same REALM, it's considered authenticated and let it - no App2 custom authentication takes place.