I have a set of RESTful web services. These services are protected on a Glassfish server by OpenSSO. When I attempt to call the RESTful services directly from a browser, OpenSSO intercepts the request, then forwards the request to the REST service once the user’s credentials are authenticated. OpenSSO utilizes a session cookie on subsequent requests (until the session is invalidated) . I’m sure this piece is working correctly.

We’d like to call these services from a Flex client. In order to enable PUT and DELETE operations, we set up BlazeDS to proxy the RESTful requests from the flex client to the REST service. When security to the RESTful services is disabled, this piece works great.

Now we’re trying to secure the entire application. We’ve placed the Flex SWF into a war and deploy to Glassfish. We’ve placed security around this resource and when a user attempts to download the SWF (through an HTML link in the war), OpenSSO intercepts the request, then forwards to the application on successful authorization (just like it does for the RESTful web services).

The problem is – the RESTful calls made by the Flex application (via BlazeDS) are failing. OpenSSO seems to be intercepting these requests as well and again asking for the users credentials. It doesn’t seem the authentication cookies are being passed to (or maybe by) the BlazeDS proxy.

How can I can access the cookies returned by the original SSO authorization request and have BlazeDS pass them along to the RESTful web service?