On Wed, November 11, 2009 9:51 pm, Mark Thomas wrote: > John Morrison wrote: >> Hi, >> >> I've been asked to put some security in place for a website, at the >> moment >> there are two requirements with a possible extension; >> >> 1) The referer must be XXX (configurable) >> 2) There must be a token passed either GET or POST in the URL which >> matches some internally generated code. >> >> The possible extension would be the token passed in would be sent to >> (another) webserver for validation. >> >> I've been looking at this, and I *think* that I need to add a JAAS >> realm, >> but I can't work out how to not have a login page. The security must >> deny >> access unless the above is matched. > > I'd just use a filter. > > Mark
Hi Mark, I've not come across filters before - I'll look into them in more depth at work tomorrow, however could you expound upon how you would envisage it working? Does the filter cover all the resources, because once the user token has been verified I wasn't going to pass it around anymore...? Thanks for the reply, John. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
