-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John,
On 11/11/2009 2:11 PM, John Morrison wrote: > 1) The referer must be XXX (configurable) > 2) There must be a token passed either GET or POST in the URL which > matches some internally generated code. I agree with Mark: a relatively simple Filter could be implemented that prohibits access unless the above requirements are met. These requirements don't really authenticate the user in any way, do they? Do you have to populate a Principal object in the request and then use that to do authorization? Or, do you just need to prevent unauthorized people from getting in? > I've been looking at this, and I *think* that I need to add a JAAS realm, > but I can't work out how to not have a login page. The security must deny > access unless the above is matched. > > I've seen reference to where auth-method can be NONE which I assume is > right (since none of the others are) but am at a loss as to how to get > this to work. You could always make your login page just look like a "Forbidden" page. There's nothing that says a login page has to contain a login form :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7Na0ACgkQ9CaO5/Lv0PBXEwCeLFod/89YKZsX0vFjr4eGYC1X +Z8AoI+Y+mK+4h/NORJ2LFmf1H/Rsf0Y =J/bL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
