Has any one had any experience with implementing a stronger security framework that may use a plugable authentication framework for say using two factor authentication? This may go on to be used to provide SSO functionality. So that for example the reverse proxies may require authentication before going forward and then the tomcat serevrs accept the cookies from the proxy authentication and map the user to an identity and setup a session?