We have a web application that uses cometd, running inside Jetty 6.1.11 using contrib/cometd/demo. When something changes in our web application, we push an update to connected clients using cometd's standard interface, roughly using the method described in? [login to view URL] (We don't actually use [login to view URL], but implement our own Bayeux client.)$0$0$0$0We would like an authentication/authorization mechanism for our cometd installation so that only approved clients (either by IP address or authenticated in some other way) are authorized to publish to cometd. Anyone is still allowed to subscribe.$0$0$0$0$0From the [discussion at cometd-dev][1], it appears that the correct way (or perhaps Correct Way) to do this is to implement authentication somewhere in Jetty, and then use the SecurityPolicy API to restrict Comet publishing to authorized clients. We expect the bidder to either use this method, or to justify the use of some other method very well.$0
## Deliverables
In the bid, please specify what method you will use to create our authentication/authorization solution, i.e. the suggested "authorization in Jetty and Security Policy" solution (which may or may not require changes to either Jetty or cometd and contrib/cometd/demo), or some other method$0$0$0$0You should also specify whether you will implement IP-address-based authentication or some other authentication method. You are welcome to write to use with suggestions. If cost and complexity is the same, we would prefer an IP-address-based authentication, but would put a premium on a solution that can easily be expanded with username/password or token-based authentication at a later date.$0$0$0$0$0Please note that the bid does not necessarily require actual coding. It is possible that the entire project can be solved with creative Jetty/cometd configuration files. However, our preliminary investigations suggest that this is unlikely.$0$0