I've been working on access management solution for an application (Java EE).
Here is what I have currently: In the application I have a filter that checks whether specific HTTP headers are set and authenticates the user based on these values. The application is never exposed directly to the users, but deployed behind Apache HTTPD that performs SSL client certificate verification. In case verification passes it rewrites some data from certificate to HTTP headers and send request to the JK worker that is handled by application server (JBoss).
What I'd like to do reuse the mechanism described above to be able to deal with alternative methods of pre-authentication. For instance I need SAML so I was wondering about implementing a component that would handle SSO (using SAML or OpenID) then set the HTTP headers (like above) and forward request for processing to JBoss. How that differs from the current implementation described above is that the new authentication mechanism would be implemented in Java rather than as another Apache module.
My questions is how to handle communication from one Java EE application to another Java EE application in the same way Apache HTTPD and Tomcat/JBoss communicates using AJP? Is there any service like that in JBoss?
Similar question I've just managed to find: Is there an implementation of AJP protocole in Java?
