This thread is quite long, but to sum up what I have understood 1) you have an application running on staging and production 2) you want to enable access to staging for public demos from anywhere on the internet - for this you want to add access controls 3) everyone else will access the application on an intranet with no access controls, e.g. no security constraints
Also you weren't happy with the suggestion of placing apache httpd infront as this would make staging different from production. Assuming the above is a fair summation of 15 emails, then - Why don't you expose tomcat via say port 80 and have no security enabled. This is what people use to access the production environment, and probably how you have things configured currently - For the "staging" server, configure exactly the same way for intranet access - For internet access have your firewall route through to a different port, which apache http listens on. Then add security to apache, and if they make it past the security forward the requests to the tomcat instance via say ajp. This won't give a 100% affinity in the cyber cafe for exactly what people will experience in production due to the extra steps. However it will be pretty close and this satisfies your security requirements. Also satisfies your load testing requirements - you load test on staging against the internal port - FWIW to me staging is where you test the roll out scripts - you shouldn't let anybody on it, and certainly not be doing any performance testing on it. I think I would call the environment you describe UAT - As already mentioned, if this doesn't work for you then the only other viable alternative that springs to mind is to add a filter that allows you to configure the security constraint on and off per installation. Anyway hope that helps Chris
