BACKGROUND
We are using Glassfish server, and configured it with Single Sign-On (SSO) enabled so that user only has to authenticate once and can access multiple web apps. Each web app specifies FORM based login (*j_security_check*) and for dev purposes we are using the File Realm. This is working fine.
Glassfish generates both a Session (scoped to path of the web app where user authenticated), and also Cookie (JSESSIONIDSSO) to identify maintain authenticated state for the server (and the other web apps).
You can force user to re-authenticate by calling Session.invalidate() on the users web app session, and that also invalidates the SSO Cookie. All this works fine.
PROBLEM
We are looking for a way to prevent user from having multiple simultaneous logins. It seems natural to try to capture either the user's session once created (or else the SSO Cookie), and store it in map keyed by user's name, which can be checked whenever someone hits the login page, and invalidate old session if it exists.
Ideally, we would like to handle some post-authentication event, in a context where we can access both the user name (or Principal object), and the Session created. (I was looking at the HttpSessionListener, but that does not seem to provide any access the user it is linked to).
I am trying to do this without either a kluge ('cause I think think of several), or introducing some other entirely new framework into the app (e.g. Spring Security). (And hopefully this doesn't require implementing an entire JAAS Module...)
I ended up creating a custom Servlet Filter to check that user did not already have an active session. This seems like it should really be a service offered by the authentication tier of the J2EE container.