RE: Token Security

2009-11-12 Thread John Morrison
nal Message- > From: John Morrison [mailto:morr...@gmail.com] > Sent: Thursday, November 12, 2009 9:04 AM > To: users@tomcat.apache.org > Subject: RE: Token Security > > Thanks guys, I've got what I need

RE: Token Security

2009-11-12 Thread Joseph Morgan
Did I just hear... "D--- the torpedos!" -Original Message- From: John Morrison [mailto:morr...@gmail.com] Sent: Thursday, November 12, 2009 9:04 AM To: users@tomcat.apache.org Subject: RE: Token Security Thanks guys, I've got what I needed working. Most appreciated.

RE: Token Security

2009-11-12 Thread Joseph Morgan
on [mailto:morr...@gmail.com] Sent: Thursday, November 12, 2009 8:43 AM To: Tomcat Users List Subject: RE: Token Security Nope. I've made it clear (and I've the email trail to prove) that I'm doing this this way solely at the order of the powers that be. On Thu, November 12, 2009 2:31 pm,

RE: Token Security

2009-11-12 Thread John Morrison
Thanks guys, I've got what I needed working. Most appreciated. Regards, John. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Token Security

2009-11-12 Thread John Morrison
be > escorting you out??? > > -Original Message- > From: John Morrison [mailto:morr...@gmail.com] > Sent: Thursday, November 12, 2009 8:18 AM > To: users@tomcat.apache.org > Subject: RE: Token Security > > On Thu, November 12, 2009 1:33 pm, Joseph Morgan wrote: >> Joh

RE: Token Security

2009-11-12 Thread Joseph Morgan
SAML doesn't require JAVA, and is XML (a place where MS is strong)... but since it is XML, can be handled well by Java -Original Message- From: John Morrison [mailto:morr...@gmail.com] Sent: Thursday, November 12, 2009 8:18 AM To: users@tomcat.apache.org Subject: RE: Token Securit

RE: Token Security

2009-11-12 Thread Joseph Morgan
And let me guess... the day a costly security breach occurs, they'll be escorting you out??? -Original Message- From: John Morrison [mailto:morr...@gmail.com] Sent: Thursday, November 12, 2009 8:18 AM To: users@tomcat.apache.org Subject: RE: Token Security On Thu, November 12, 2

Re: Token Security

2009-11-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, On 11/11/2009 5:29 PM, John Morrison wrote: > Correct, at the moment there is no requirement to actually authenticate > the user. However, I've been told to ensure that, if the client wishes > (and pays) that the solution could be expanded to d

RE: Token Security

2009-11-12 Thread John Morrison
On Thu, November 12, 2009 1:33 pm, Joseph Morgan wrote: > John, > > Just curious, but have you looked into existing token-based security > mechanisms such as LTPA (if you're predominantly an IBM shop) or SAML? Hi Joseph I haven't to be honest; this isn't a java shop. MS is 99% of what we use but

Re: Token Security

2009-11-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, On 11/11/2009 5:01 PM, John Morrison wrote: > I've not come across filters before - I'll look into them in more depth at > work tomorrow, however could you expound upon how you would envisage it > working? The filter simply checks your requirem

RE: Token Security

2009-11-12 Thread John Morrison
On Thu, November 12, 2009 1:49 pm, Joseph Morgan wrote: >>Correct, at the moment there is no requirement to actually authenticate >>the user. However, I've been told to ensure that, if the client wishes >>(and pays) that the solution could be expanded to do so. > > I may have missed something, but

RE: Token Security

2009-11-12 Thread John Morrison
On Thu, November 12, 2009 1:49 pm, Joseph Morgan wrote: >>Correct, at the moment there is no requirement to actually authenticate >>the user. However, I've been told to ensure that, if the client wishes >>(and pays) that the solution could be expanded to do so. > > I may have missed something, but

RE: Token Security

2009-11-12 Thread Joseph Morgan
>Correct, at the moment there is no requirement to actually authenticate >the user. However, I've been told to ensure that, if the client wishes >(and pays) that the solution could be expanded to do so. I may have missed something, but are you simply trying to ensure secondary requests to web pa

RE: Token Security

2009-11-12 Thread Joseph Morgan
John, Just curious, but have you looked into existing token-based security mechanisms such as LTPA (if you're predominantly an IBM shop) or SAML? -Original Message- From: John Morrison [mailto:morr...@gmail.com] Sent: Wednesday, November 11, 2009 1:12 PM To: users@tomcat.apache.org Subj

Re: Token Security

2009-11-11 Thread John Morrison
Hi Christopher, On Wed, November 11, 2009 10:07 pm, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > John, > > On 11/11/2009 2:11 PM, John Morrison wrote: >> 1) The referer must be XXX (configurable) >> 2) There must be a token passed either GET or POST in the URL w

Re: Token Security

2009-11-11 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, On 11/11/2009 2:11 PM, John Morrison wrote: > 1) The referer must be XXX (configurable) > 2) There must be a token passed either GET or POST in the URL which > matches some internally generated code. I agree with Mark: a relatively simple Filte

Re: Token Security

2009-11-11 Thread John Morrison
On Wed, November 11, 2009 9:51 pm, Mark Thomas wrote: > John Morrison wrote: >> Hi, >> >> I've been asked to put some security in place for a website, at the >> moment >> there are two requirements with a possible extension; >> >> 1) The referer must be XXX (configurable) >> 2) There must be a toke

Re: Token Security

2009-11-11 Thread Mark Thomas
John Morrison wrote: > Hi, > > I've been asked to put some security in place for a website, at the moment > there are two requirements with a possible extension; > > 1) The referer must be XXX (configurable) > 2) There must be a token passed either GET or POST in the URL which > matches some inte