I have developed a Tomcat application acting as a kind of CMS, where all the contents are stored in a subfolder of my Tomcat application named 'contents'.
I currently use a JNDI Realm configured to use the 'user' table of my application and which protects this folder, so users need to be connected to my application to see the contents.
But this is not sufficient, since my application gives the ability to define detailed access rights for each user, such as:
'user1' can access 'content1' at any time, and 'content2' only during july 2015.
'user2' can access 'content3' only during july 2015.
The problem with the current JNDI Realm is:
Once 'user1' is connected, if he knows how to use browser development tools, he will be able to give to 'user2' the URL of 'content1' and 'content2'.
And when 'user2' will be connected, he will be able to access 'content1' and 'content2' by entering the URL in another tab of the browser, since he has been authenticated by the JNDI Realm.
JAASRealm could be a solution if I can implement a custom logic where I get the URL requested by the user, and I check in my CMS database if the user has appropriate rights to access this URL at this moment.
Is this possible, and how? Tomcat doc at https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JAASRealm
is a bit weird for me.
If not, what would be alternative solutions?
For instance, I am also wondering if I could put this folder 'contents' in a cloud (Google, Microsoft, AWS), and configure this cloud storage so it is only accessible from my application. I know really few things about clouds