I am currently forcing my app to use https. Here is what I have in my = app web.xml file and it works as intended
<security-constraint> <web-resource-collection> <web-resource-name>securedapp</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> I also now want to restrict the browser from pulling up files in certain = directories. Search the web I see to use the following=20 <security-constraint> <web-resource-collection> = <web-resource-name>HTTP-Protected-Resource-1</web-resource-name> <description>Description here</description> <url-pattern >/path to directory/path to = directory/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint/> </security-constraint> These both work independently of each other. What I can=E2=80=99t = figure out is how to make them work together. When I try that, all = files are forbidden as it appears the <url-pattern>/*</url-pattern> = locks everything down. But without it, I cannot get tomcat to force = http to https. Can anyone help with this? Thanks, Kent Cole