I may not be explaining it clearly. We have one corporate customer who is putting a link to our servlet on their intranet web page. Therefore, we know the domain name of the users who need custom authentication. We can also tell the customer to put whatever we need in the link, such as HTTP headers.
Does this give you enough information to propose a solution? On Tue, Jun 2, 2009 at 12:22 PM, Hassan Schroeder < hassan.schroe...@gmail.com> wrote: > On Tue, Jun 2, 2009 at 11:03 AM, Alec Swan <alecs...@gmail.com> wrote: > > Hassan, I don't think that the goals are contradictory, because each goal > > applies to its own group of users: our customer users and everybody else. > > Customer users should not have to enter user name and password, but > > everybody else should. > > IOW, you want it protected, and you want it openly accessable. > Sorry, that sounds contradictory to me :-) > > If you have "a customer who would like to put a link on a web page" > to your servlet, that servlet's URL is now "in the wild" -- anyone who > finds it can access it. > > > I am glad that you made me think about this, because maybe it is possible > to > > extend Tomcat authentication to also use client IP address or domain? > > How would you know a priori the IP or domain of the clients? > > -- > Hassan Schroeder ------------------------ hassan.schroe...@gmail.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
