I have a j2ee web application that is typically accessed over the intranet. I have a requirement to have only a small set of webpages in the application exposed over the internet. There isn't a large set of users who need the internet access. I dont really want to expose the whole application as is over the internet, since it has some other sensitive data. I'd like to add an extra layer of access restriction/security on top (even though the application has role based access). What would be a good way to achieve that?
Some options that come to mind are below (not given too much thought to it yet)

  1. Figure out something in Apache (our web server) to restrict access to only certain set of URLs in the application. Not sure if something like that is supported out of the box or with some modules.
  2. Mark internet based request with some attribute in Apache, and in the application layer use Spring security to restrict access.
  3. Use something like a citrix server to allow indirect access to the application through a virtual desktop. I wonder if this is easier said than done and if its really buying me anything.
  4. Build another web application that acts as a proxy to my large application for those limited web pages. Initial thought, this sounds like too much work.
  5. Your thoughts? Any other options?