Rather a long answer unfortunately, due to the domain bug in wildfly 8.0.0. This answer applies by working around the bug - there is almost certainly an easier variant of it, but I'm not sufficiently familiar with wildfly extensions yet to manage that.
Add under the subsystem, server, host tags in standalone.xml (or domain.xml equivalent) - does NOT matter what the domain is.
In you war files, add:
WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension
contents:
FixSSOServletExtension
make this class implement ServletExtension with a line:
deploymentInfo.addFirstAuthenticationMechanism("form", new FixSSOAuthenticationMechanism());
(change form to basic or whatever you use)
In FixSSOAuthenticationMechanism.authenticate:
exchange.addResponseWrapper(responseListener);
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
(in the other method just return new ChallengeResult(false) )
Add:
final class ResponseListener implements ConduitWrapper<StreamSinkConduit> {
public StreamSinkConduit wrap(ConduitFactory<StreamSinkConduit> factory, HttpServerExchange exchange) {
Cookie c = exchange.getResponseCookies().get("JSESSIONIDSSO");
if( c!=null ) {
c.setDomain(null);
}
return factory.create();
}
}
and create an instance of that in the class to return.
Add to your jboss-deployment-structure.xml
<module name="io.undertow.core" />
<module name="io.undertow.servlet" />
<module name="org.jboss.xnio" />
You only need to do this in the war file which you login to - but if you can login multiple locations, then everywhere needs it, and if so you can put it into a shared module, or a sar module (my copy is in a sar because there is an existing security mbean being deployed there)