Hello Let me preface by saying my knowledge and experience with seurity is primitive.
I am now working on a project wherein we have a set of ASP pages with a custom authentication process. I have embedded a servlet into one of these asp pages but want to avoid making the user authenticate twice (once for the ASP pages, once again to access the servlet). To that end, I have been doing a lot of online research, but haven't found any pre-existing solutions (which surprises me). First question - does anyone know of anything already out there? If I do have to create my own solution, I was thinking of having IIS, on the user's authentication, store the IP address of the authenticating user in a file on the server (say %TOMCAT%\conf\auth-users.xml or something). Then, when the user attempts to access the servlet, a custom Realm would check to see if his/her ip is in auth-users.xml and grant/deny access based on that. My question is - is this feasible? Equally important, is it truly secure? Thanks for helping out a total security n00b. - John --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]