John Morrison wrote: > Hi, > > I've been asked to put some security in place for a website, at the moment > there are two requirements with a possible extension; > > 1) The referer must be XXX (configurable) > 2) There must be a token passed either GET or POST in the URL which > matches some internally generated code. > > The possible extension would be the token passed in would be sent to > (another) webserver for validation. > > I've been looking at this, and I *think* that I need to add a JAAS realm, > but I can't work out how to not have a login page. The security must deny > access unless the above is matched.
I'd just use a filter. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
