[users@httpd] need advice: servlet gets access, users get auto-authorized

[brainspank <co...@brainspank.net>]

I need some advice on what tools to use for implementing a PDF pre-fill
solution.  Here's the scenario:

User clicks PDF link, apache passes request to servlet which verifies that
user can click that link.  If auth'd, servlet requests PDF *itself*
(avoiding a servlet loop) and performs pre-filling of fields before sending
to user.  if not auth'd, servlet gives "denied" page to user.

Restrictions:
* PDF accessed by only one URL, as determined by a content server
* needs to be transparent to user (ie. no password, user interaction)
* need to avoid "security through obscurity" for legal/compliance reasons
* servlet exists on different server/instance/farm than content(I might be
able to change this...)

My initial thoughts were to do this through mod_rewrite, but I'm not sure
what I could pass from the servlet as a "key" that the user couldn't fake. 
I thought about somehow sharing valid generated keys between apache/servlet,
but it would probably be disk-based and NFS wouldn't be fast enough(?)

pre-thanks for any ideas.

bs
-- 
View this message in context: http://www.nabble.com/need-advice%3A-servlet-gets-access%2C-users-get-auto-authorized-tp25063957p25063957.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org