On 19/06/17 08:24, Greg Huber wrote: > Hello, > > If I add a security constrait to block direct access to jsp outside of > /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for > using this here?
Your welcome file is invalid. It should be a file name without a path. Remember it applies to all directories, not just the web application root. Security constraints apply to welcome files. You'll need to use a servlet to do a forward to "WEB-INF/jsps/index.jsp" Mark > > <!-- Restricts access to pure JSP files - access available only via Struts > action --> > <security-constraint> > <display-name>No direct JSP access</display-name> > <web-resource-collection> > <web-resource-name>No-JSP</web-resource-name> > <url-pattern>*.jsp</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>no-users</role-name> > </auth-constraint> > </security-constraint> > > <security-role> > <description>Don't assign users to this role</description> > <role-name>no-users</role-name> > </security-role> > > <welcome-file-list> > <welcome-file>WEB-INF/jsps/index.jsp</welcome-file> > </welcome-file-list> > > Cheers Greg > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org