Leo Donahue - PLANDEVX wrote:
-----Original Message-----
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Dynamic Security Constraints?
Leo Donahue - PLANDEVX wrote:
I'm not sure this is the right subject line, but if I wanted to use
Tomcat to publish large files (several GB) for different customers to
download, and each customer wanted their own secure URL (form based
login over HTTPS) from which to download their data, how would I add a
new security constraint url-pattern for authentication for new customers
without restarting the server? Is that even the correct approach?
Or would it just be easier to deploy a new pre-configured webapp for
each customer?
Your own choice of phrasing above is a bit ambiguous, but indeed your
last solution seems to be the easiest to implement.
Among other reasons, since you do not know who they are before they
login, it would be difficult to present each one of them with their own
specific login page.
(That's the ambiguous part, so I'm not sure that I understand your
requirement correctly).
Occasionally I get requests for GIS data in the tens of gigabytes. Our ftp
won't let us upload that amount of data, so I thought why not zip it and place
it on Tomcat for them to download. This data was sensitive in nature and they
wanted a secure login to whatever URL I provided for them to download that data.
Example: http://planning.maricopa.gov/customerx when they access this URL, they are presented with a form based login over HTTPS, and once authenticated, Tomcat serves up a directory with their zip file. Essentially, I would already have a preconfigured SQL database with users/roles and just whip up a webapp and send the customer a url/username/password with which to login. I was thinking I would just have webapp template that I modify when I get a request like that, deploy and then undeploy it after they get their data. Is there a better way?
Well, if they can all use the same login page, then after they login you know who they
are. And if you anyway have a database back-end, then whatever webapp they are logged-in
to, can do a database lookup and retrieve /their/ download link from the database, and
display it on the response page. Then you need only one webapp, and all you need to do is
add or modify or delete a record in the database.
Just don't make the download link too obvious, not to encourage one of them to change it a
little bit just to try..
For example, I would not make it like :
https://planning.maricopa.gov/customer001/secret_download_file.gis
;-)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
