tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Token Security
Date Wed, 11 Nov 2009 22:07:41 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John,

On 11/11/2009 2:11 PM, John Morrison wrote:
> 1) The referer must be XXX (configurable)
> 2) There must be a token passed either GET or POST in the URL which
> matches some internally generated code.

I agree with Mark: a relatively simple Filter could be implemented that
prohibits access unless the above requirements are met.

These requirements don't really authenticate the user in any way, do
they? Do you have to populate a Principal object in the request and then
use that to do authorization? Or, do you just need to prevent
unauthorized people from getting in?

> I've been looking at this, and I *think* that I need to add a JAAS realm,
> but I can't work out how to not have a login page.  The security must deny
> access unless the above is matched.
> 
> I've seen reference to where auth-method can be NONE which I assume is
> right (since none of the others are) but am at a loss as to how to get
> this to work.

You could always make your login page just look like a "Forbidden" page.
There's nothing that says a login page has to contain a login form :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr7Na0ACgkQ9CaO5/Lv0PBXEwCeLFod/89YKZsX0vFjr4eGYC1X
+Z8AoI+Y+mK+4h/NORJ2LFmf1H/Rsf0Y
=J/bL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message