I have setup IIS with isapi_redirector2.dll to map all requests to www.server.com/foo to my Tomcat server running ajp13 (using jk2) on port 8009. This works well. However, Tomcat (4.1.20) is running a servlet with access to sensitive data, so I want to make sure not just anyone can access /foo. As it stands now, the rest of the website (.asp pages) are all password protected. So, the first time a user attempts to access a page, they have to authenticate and then are able to access the remaining pages as long as their session is kept alive. I want to place /foo behind the same password scheme.
However, currently anyone can make their own web page with an <applet> tag with "codebase='http://www.server.com/foo'" and can access the sensitive servlet. I want to deny this behavior, so basically that comes down to two requirements: 1) User directly requests /foo -> Request denied 2) User requests http://www.server.com/page.asp which requests /foo -> Request succeeds Note that I don't have access to the servlet source, and I would rather not edit the isapi_redirector2 source if I don't have to. I can't imagine I'm the first person to have this issue, so I'd like to know a solution! If you can help, I'd very much appreciate it. Thank you - John --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
