Is it possible to limitate the servlet access to a physically browser client ? (mac address inside HTTP header or so ?)
Application background is to limitate the application access (by any browser) to certain physical client computers with dynamically assigned IP adresses.
Yes, the http request object contains the ip and other information of the one making the request. You can define an approve list that accepts/rejects requests based on the user's input information. I recommend putting this list in a file so that you don't have to recompile the servlet if you add/remove users/machines.
The problem i have to solve is to determine the physically client which changes its IP from session to session due to dynamically IP assignment. So the IP information is worthless for me.
You can use certificate based authentication, where the user must have a certificate installed before being able to access the site, and the site will only accept requests from clients with the certificate. It doesn't get used much so you may need to search for information.
If it really needs to be secured you can also look at solutions such as setting up a VPN and only allowing internal access to the site.
I don't have a book in front of me so I can't be certain, but I believe it is part of the J2EE spec and a topic in the SCWCD exam. It should be supported by servlet containers along with Basic and form based authentication, but honestly I have never gone looking for it.