Tomcat Single Sign On: server console app and my own apps realms clashing

I have implemented SSO for tomcat using the valve in the config.xml however all my apps use one realm and the server (geronimo) another.

Sinc开发者_StackOverflow社区e introducing this they now clash. If signed into my app, the geronimo console gives a 403, and vice versa. I have to sign out of an app in one realm to be able to sign into another.

Anyone know how I can resolve this? Combining the realms is not an option as the users of my web app cannot have access to the console.

I have a work-around for this, and that is to use one realm, but different groups. So the admin group for the server console and all other groups for the other apps, then add the users who have access to the console to the admin group, so that signing in on one of the web-apps will allow access to the console. Not ideal, but it works.