What I've found is that it's best to have a one time use token. It makes it pretty hard to hack since I save the token (and check for reuse). But that means you have some additional overhead on the "main" system 'cause you'll need to generate a new token for each request that's serviced by the other systems. In my world that's not an issue 'cause I only have one other machine and 'cause I don't have to generate the token, only decrypt and valid it. That and each request is a single transaction.
But you may have issues with printing, if you only allow the token to be used once then when they (the users) hit print in their web browser it will want to re-download the images and sometimes the page. For me that's not an issue 'cause the design document specifies one and only one access per token, but you may have issues there. If your application is anything like mine then that really could be an issue (mine it's the pictures that are important, not the text on the page), so make sure that everyone signs off of on the design document prior to implementation. If your application is all java based (mine isn't) then you could pass around a serialized java object, assuming it's not to big. It'd probably be easier to use a nice short token however. --mikej -=----- mike jackson [EMAIL PROTECTED] > -----Original Message----- > From: Jacob Hookom [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 19, 2002 10:45 AM > To: 'Tomcat Users List' > Subject: RE: Design question > > > That's exactly what I was thinking, for every page request, set a really > simple 'digested' token of the user's id and the id of the resource the > link allows. The receiving servlet on another server peels apart the > token based on the hour time span the token was valid. > > But cool, other people are doing the same thing :-) I just don't want > people to start calling up requests to the second server just by walking > through id's. > > -Jacob > > | -----Original Message----- > | From: Mike Jackson [mailto:[EMAIL PROTECTED]] > | Sent: Monday, August 19, 2002 12:17 PM > | To: Tomcat Users List > | Subject: RE: Design question > | > | An encrypted token is one way of doing it. We have a system where one > | system > | validates the user and then it redirects the user to another site > passing > | an > | encrypted token (containing amoungst other things a timestamp to allow > | only > | a short "window" of opportunity for the token to be used) as a > parameter. > | > | --mikej > | -=----- > | mike jackson > | [EMAIL PROTECTED] > | > | > -----Original Message----- > | > From: Jacob Hookom [mailto:[EMAIL PROTECTED]] > | > Sent: Monday, August 19, 2002 10:09 AM > | > To: 'Tomcat Users List' > | > Subject: RE: Design question > | > > | > > | > I'm trying to accomplish the same thing-- > | > > | > How do you authenticate on Server A, then have that principal carry > over > | > to Servers B and C for download authorization? > | > > | > Thanks! > | > -Jacob > | > > | > | -----Original Message----- > | > | From: Luminous Heart [mailto:[EMAIL PROTECTED]] > | > | Sent: Monday, August 19, 2002 12:06 PM > | > | To: Tomcat Users List > | > | Subject: Re: Design question > | > | > | > | Yes Raju, > | > | It should be doable. You can download TC latest and > | > | hack some code. If you want to use some readily > | > | availabe to help in the process, take a look at the > | > | Tag libs available on Jakarta. Also there are a few > | > | File Upload beans floating around the net, go to > | > | google and type JSP File Upload Bean and see what you > | > | will get. > | > | > | > | I have a couple of applications where a user will > | > | upload files to a remote server after authenticating. > | > | > | > | regards. > | > | > | > | --- Raju Lokhande <[EMAIL PROTECTED]> wrote: > | > | > Greetings everybody, > | > | > I am doing some research on possibility of using > | > | > Tomcat to do a project. General requirements as > | > | > follows > | > | > 1. A user will login to the web application and > | > | > upload a file to a remote server. He or she can only > | > | > access his or her WIN2K/NT domain to upload this > | > | > file. > | > | > 2. User will download a file or a number of files > | > | > from the remote server - again from his or her > | > | > domain. > | > | > I was told that I can do this job using Java Servlet > | > | > and IBM Websphere or BEA Weblogic. > | > | > I am not sure if this is possible in Tomcat. Has > | > | > anybody done similar work using Tomcat. Can you > | > | > share your experiences please? > | > | > Thanks > | > | > Raju Lokhande > | > | > > | > | > > | > | > > | > | > > | > | > | > > ************************************************************************ > | > * > | > | > This message, together with any attachments, is > | > | > intended only > | > | > for the use of the individual or entity to which it > | > | > is addressed. It > | > | > may contain information that is confidential and > | > | > prohibited from > | > | > disclosure. If you are not the intended recipient, > | > | > you are > | > | > hereby notified that any dissemination or copying of > | > | > this > | > | > message or any attachment is strictly prohibited. If > | > | > you have > | > | > received this message in error, please notify the > | > | > original sender > | > | > immediately by telephone or by return e-mail and > | > | > delete this > | > | > message along with any attachments, from your > | > | > computer. > | > | > Thank you. > | > | > > | > | > | > > ************************************************************************ > | > * > | > | > > | > | > > | > | > -- > | > | > To unsubscribe, e-mail: > | > | > <mailto:[EMAIL PROTECTED]> > | > | > For additional commands, e-mail: > | > | > <mailto:[EMAIL PROTECTED]> > | > | > > | > | > | > | > | > | __________________________________________________ > | > | Do You Yahoo!? > | > | HotJobs - Search Thousands of New Jobs > | > | http://www.hotjobs.com > | > | > | > | -- > | > | To unsubscribe, e-mail: <mailto:tomcat-user- > | > | [EMAIL PROTECTED]> > | > | For additional commands, e-mail: <mailto:tomcat-user- > | > | [EMAIL PROTECTED]> > | > | > | > | --- > | > | Incoming mail is certified Virus Free. > | > | Checked by AVG anti-virus system (http://www.grisoft.com). > | > | Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 > | > | > | > > | > --- > | > Outgoing mail is certified Virus Free. > | > Checked by AVG anti-virus system (http://www.grisoft.com). > | > Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 > | > > | > > | > > | > -- > | > To unsubscribe, e-mail: > | <mailto:[EMAIL PROTECTED]> > | For additional commands, e-mail: > | <mailto:[EMAIL PROTECTED]> > | > | > | > | > | -- > | To unsubscribe, e-mail: <mailto:tomcat-user- > | [EMAIL PROTECTED]> > | For additional commands, e-mail: <mailto:tomcat-user- > | [EMAIL PROTECTED]> > | > | --- > | Incoming mail is certified Virus Free. > | Checked by AVG anti-virus system (http://www.grisoft.com). > | Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 > | > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
