Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 76897 invoked from network); 11 Nov 2009 22:08:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Nov 2009 22:08:12 -0000 Received: (qmail 81511 invoked by uid 500); 11 Nov 2009 22:08:08 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 81418 invoked by uid 500); 11 Nov 2009 22:08:08 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 81407 invoked by uid 99); 11 Nov 2009 22:08:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2009 22:08:08 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [76.96.62.48] (HELO QMTA05.westchester.pa.mail.comcast.net) (76.96.62.48) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2009 22:08:05 +0000 Received: from OMTA21.westchester.pa.mail.comcast.net ([76.96.62.72]) by QMTA05.westchester.pa.mail.comcast.net with comcast id 3xQs1d02v1ZXKqc55y7l8L; Wed, 11 Nov 2009 22:07:45 +0000 Received: from [192.168.1.200] ([69.143.128.194]) by OMTA21.westchester.pa.mail.comcast.net with comcast id 3yFC1d0034BnRt93hyFCvR; Wed, 11 Nov 2009 22:15:12 +0000 Message-ID: <4AFB35AD.7010502@christopherschultz.net> Date: Wed, 11 Nov 2009 17:07:41 -0500 From: Christopher Schultz User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Token Security References: In-Reply-To: X-Enigmail-Version: 0.97a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John, On 11/11/2009 2:11 PM, John Morrison wrote: > 1) The referer must be XXX (configurable) > 2) There must be a token passed either GET or POST in the URL which > matches some internally generated code. I agree with Mark: a relatively simple Filter could be implemented that prohibits access unless the above requirements are met. These requirements don't really authenticate the user in any way, do they? Do you have to populate a Principal object in the request and then use that to do authorization? Or, do you just need to prevent unauthorized people from getting in? > I've been looking at this, and I *think* that I need to add a JAAS realm, > but I can't work out how to not have a login page. The security must deny > access unless the above is matched. > > I've seen reference to where auth-method can be NONE which I assume is > right (since none of the others are) but am at a loss as to how to get > this to work. You could always make your login page just look like a "Forbidden" page. There's nothing that says a login page has to contain a login form :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7Na0ACgkQ9CaO5/Lv0PBXEwCeLFod/89YKZsX0vFjr4eGYC1X +Z8AoI+Y+mK+4h/NORJ2LFmf1H/Rsf0Y =J/bL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org