Wildfly share session between EARs?

Question

I have 2 WAR applications in 2 independent EARs that I want to deploy in a single instance of Wildfly 10/JBoss 7 EAP. How can I share sessions/authentication between the 2 wars?

Ex:

EAR1:
- WAR1
- EJB
- libs


EAR2:
- WAR2
- libs

To be clear, I would like the user to login and authenticate via WAR1, and have that session object available when he accesses WAR2 so that he does not need to log back into the system.

How can I accomplish this? I cannot find documentation relating to what configuration is required to achieve this.

Answer 1

If you only need single sign on and session sharing for apps within wildlfy, you don't need any dedicated SSO mechanism - server already has everything you need. First, you need to secure you applications using some existing security-domain via WEB-INF/jboss-web.xml. Example:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>   
    <security-domain>my-sec-domain</security-domain>    
</jboss-web>

Next you need to enable SSO handling in Undertow(Jboss/Wildfly web server). You can do it with CLI or by manualy updating the corresponding config. Cli command(for standalone mode):

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add(path=/)

Or if you edit the config manually, add <single-sign-on path="/" /> to undertow config like so:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">
   <buffer-cache name="default"/>
   <server name="default-server">
    <ajp-listener name="ajp" socket-binding="ajp"/>
    <http-listener name="default" max-post-size="20485760" socket-binding="http" redirect-socket="https"/>
    <host name="default-host" alias="localhost">
       <location name="/" handler="welcome-content"/>
       <filter-ref name="server-header"/>
       <filter-ref name="x-powered-by-header"/>
       <single-sign-on/>
   </host>
</server>

Now we need to enable mechanism for session replication/sharing. In wildfly, it is done using the infinispan subsystem and web cache. You will either need to use full-ha configuraiton profile(standalone-full-ha.xml) or manualy add that subsystem to your config. Here awe are looking for cache container named web. If its there, you should be good to go.
Now when you visit APP-A in your browser, you should get two session cookies JSESSIONID and JSESSIONIDSSO. After switching to APP-B, you should be automatically logged in.
Happy Hacking

Answer 2

Sharing session between two web application which are part of same EAR is possible, go through document for more details on this. For single authentication for both web applications, you have to implement SSO. You can implement SSO using SAML or Kerberos. Hope it helps..!!