Restricting access from the internet to a website in beta conflicting with the website's own authentication

Question

I have a java website that runs on Apache Tomcat.

As the website is in Beta, I don't want it to be publicly accessible to anyone on the internet and I want a restricted group of beta testers to access the website thereby restricting access to all pages of the website.

The trouble is that the website already uses Spring Security in order to let what will eventually be members authenticate as part of the application's business logic (e.g. after they have registered).

So to recap: I want only beta testers to access the website. Afterwards they will be able to navigate the "public" pages and register as members of the website and then navigate the "private" pages.

I therefore some kind of double authentication. I am not sure how to do that with my Ubuntu box.

Can anyone please provide advice?

Answer 1

First idea: if the beta testers will be coming from know IP addresses, just filter based on IP. This could be done at the firewall, or the webserver, or the application. If users IPs will be changing, maybe a second webpage were they can go, enter a username and password, and their IP gets whitelisted inside the beta app (or on the firewall/webserver).

Next idea is hiding the beta site behind a firewall, and giving the Beta testers a VPN that gives access. Pretty easy to setup, but now you have the hassle of trying to get credentials and client software out to all of the Beta testers. If they don't work for you directly they may not like installing special software.

Fourth idea: Setup squid or a webserver as a proxy. Have that proxy server require authentication before passing the request on to the "real" beta webserver.