First of all, I'm not a user of Shibboleth myself: I have to integrate a web application into an environment where it is used, but nobody knows how it works!!!!
The context: A GWT web application runs on server S and is protected by Shibboleth.
The one page is accessed after Shibboleth login, three cookies are saved in the browser.
This one page then has to contact web services running both on S (the same server managing the application) and on different ones, all protected by Shibboleth.
In practice the web page contacts a servlet on S, which then decides which server and web service to access. The cookies arrive to the servlet, which takes their name and value and then sets the Cookie header with the comma-separated list of pairs "key=value"
The problem: If the web services are not shibbo-protected I can see that the cookies are available to the service (just with information on key and value, no domain and no path), but if they are shibbo-protected then I'm redirected to the login page.
I had been told to use this approach since it's the same they (the "customers", who control Shibboleth) had used internally for one of their products and it worked. I can testify their product works, but it seems to me there must be something behind the scenes.
Please does anyone have any idea of what is going on and/or how I can propoagate authentication information in this scenario?