tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Morrison" <morr...@gmail.com>
Subject Re: Token Security
Date Wed, 11 Nov 2009 22:01:12 GMT
On Wed, November 11, 2009 9:51 pm, Mark Thomas wrote:
> John Morrison wrote:
>> Hi,
>>
>> I've been asked to put some security in place for a website, at the
>> moment
>> there are two requirements with a possible extension;
>>
>> 1) The referer must be XXX (configurable)
>> 2) There must be a token passed either GET or POST in the URL which
>> matches some internally generated code.
>>
>> The possible extension would be the token passed in would be sent to
>> (another) webserver for validation.
>>
>> I've been looking at this, and I *think* that I need to add a JAAS
>> realm,
>> but I can't work out how to not have a login page.  The security must
>> deny
>> access unless the above is matched.
>
> I'd just use a filter.
>
> Mark

Hi Mark,

I've not come across filters before - I'll look into them in more depth at
work tomorrow, however could you expound upon how you would envisage it
working?

Does the filter cover all the resources, because once the user token has
been verified I wasn't going to pass it around anymore...?

Thanks for the reply,

John.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message