[Opensource] integrating other (coldfusion) systems with expresso's security

[Mike Traum]

I need to be able to allow a web application written in coldfusion (not
running on the same jvm) to be able to access basic security info, such as
the identity (username, uid) of the current user. Right now, the only idea I
have is:
- use a shared secret so messages between the coldfusion and tomcat servers
are known to only be from those servers
- coldfusion gets the session id (from the requesting user's cookie) and
sends it to an expresso application over http (https if going over insecure
network) adding the ;jsessionid= to the end of the url
- the expresso app will think the user is making the request, so it can
simply return session info   -- I assume this will work, but have never
tried it.


I'm not liking my idea too much - any better ideas?


tia,
mike