I have a tomcat hosted web-app, in one of the jsp pages the webapp displays I am using an iframe to embed an html document.
I need to have the html pages separate to the web-app so that they can be altered without requiring a relaunch of the original web-app or access by editors to the web-app.
It is also essential that html pages are secure and not available directly in any way, i.e. only available within this web-app or by authenticating the user. I also want to avoid making the user login to both the web-app and the page in the iframe.
I am not sure how to approach this, I have an apache server, php, and of course tomcat at my disposal.
I can think of two approaches but am not sure how to implement either:
- I pass through the authentication details from the jsp page and store all the usernames etc elsewhere for the .htaccess file to check against (not ideal as this means the upkeep of two username / password files)
- I somehow enforce that these pages can only be accessed when they are being shown within this iframe i.e. use the web-app as an authenticator and hold the web pages to be only accessible via it.
Presently I can only think of a rather clunky, double log-in way, using .htaccess on an apache server which will require the user to enter a username and password again before viewing the documents.
Can anyone think of a more elegant solution?
Thanks!
CJ