We're using Plone to serve up some third-party middle-ware. Unfortunately the middle-ware has a particular servlet that gets invoked from a Java applet and doesn't do any kind of authentication. I would like to firewall this off and somehow wrap authentication around it, preferably using the existing session that users will have on Plone. My first idea was to configure nginx (which we're using as the reverse proxy) to check the cookie and only proxy if the user has a valid session (along the lines of this example). However, how to check the session ID against Plone, since it's all stored in the Zope database? Alternatively we could have a Plone python script that basically passes everything along to the back-end after authenticating, but I'm not sure how to do that. Any suggestions? Or alternative ideas?