The requirement to authenticate users through their IALLT credentials before letting them access the content eventually came down to an IP address restriction, which would enable the IALLT server to get our content and serve it on to its authenticated clients, and no-one else to access it. After much research, and struggling with the remarkably unhelpful (in this respect) Tomcat 6 documentation, we seem to have figured out how to do this.

The key is to create a Context object for the web application, and then apply a Valve (actually, a <RemoteAddrValve>) to control access to the <Context>. There are various ways to create a Context, but on a default Tomcat installation, you need to know that the default Engine name is Catalina, and the default Host name is localhost. Then, you go to [Tomcat]/conf, and create a folder structure inside it consisting of [Engine name]/[Host name]. So in our default setup, we end up with:

[Tomcat]/conf/Catalina/localhost

Next, you create an XML file inside that folder named for the Web application you're trying to protect. In our case, the Web application is called ialltjournal, and so the filename is ialltjournal.xml. That file needs to look like this:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="192.168.*,142.104.128.*"/>
</Context>

The only bit of the file you would change is the allow attribute, which consists of a list of regular expressions, comma-separated, which match IP addresses or ranges which you want to allow to access your content. You can also use a deny attribute instead, if you just want to block some ips.

Then you have to restart Tomcat (restarting the web application doesn't seem to be enough).

Stuff we don't yet know, and are still investigating:

I think it should be possible to make a Context more sophisticated by using a path attribute on the <Context> element, so that the restriction might be confined to specific folders or paths. However, I haven't been able to make that work.