Secure content on HttpServer using a Tomcat Application - any ideas?

We have a Web Application on Tomcat. The App accesses content(confidential) from dedicated 开发者_开发百科Apache HTTPServers. We do not want un-authorized users accessing this content. i.e. Only users authenticated through WebApp(on Tomcat) can access HttpServer content. (We are using HTTPS to secure the network, but if someone gets the direct httpserver url for content they may download content).

We are thinking of hosting content in side the same webapp on Tomcat. Any ideas?

---

The easy/lazy way to do this is to enforce that the HTTP Referrer on each hit to the Apache servers is the addrress of your Tomcat server. A page on that: http://www.htaccess-guide.com/deny-visitors-by-referrer/

However, it's fairly trivial for a hacker to spoof the HTTP referrer if they figure out that's your protection scheme.

Two more complicated but secure methods, in order of effort:

1. Write a JSP page or something on the Tomcat server that verifies the user is logged in, then fetches the data off Apache by HTTP, and then outputs the data back to the end user. You are effectively writing your own reverse proxy by doing this. Then have the Apache server locked down to only serve pages to the Tomcat server's IP address(es) (and any other authorzied/internal IPs you wish to allow). Pros: still pretty quick to do. Cons: you're using tomcat resources to display each page off the other server, it can introduce scalability issues, especially if the apache servers serve up large numbers of bytes (for instance, if apache serves up a 500 meg file, will that exhaust your tomcat script's memory? That depends how well you code and test your JSP page! Beware!). If the pages are tiny, it's probably not an issue.

2. Implement some kind of Single Sign On between Apache and Tomcat. This could be cookie based or something fancier still (like with a backend authentication server tracking the sessions). In this way Apache would know that the user requesting the https:// page was properly authenticated and would deny the request otherwise. Pros: Completely scalable. Cons: harder to set up, many of the solutions out there are commercial/pay products.