John, Just curious, but have you looked into existing token-based security mechanisms such as LTPA (if you're predominantly an IBM shop) or SAML?
-----Original Message----- From: John Morrison [mailto:morr...@gmail.com] Sent: Wednesday, November 11, 2009 1:12 PM To: users@tomcat.apache.org Subject: Token Security Hi, I've been asked to put some security in place for a website, at the moment there are two requirements with a possible extension; 1) The referer must be XXX (configurable) 2) There must be a token passed either GET or POST in the URL which matches some internally generated code. The possible extension would be the token passed in would be sent to (another) webserver for validation. I've been looking at this, and I *think* that I need to add a JAAS realm, but I can't work out how to not have a login page. The security must deny access unless the above is matched. I've seen reference to where auth-method can be NONE which I assume is right (since none of the others are) but am at a loss as to how to get this to work. Thanks for any advice or pointers to documentation. Regards, John. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
