Did you test that? I think <welcome-list/> ignore security constraints ... or maybe it was just Jetty ;)
2017-06-16 10:50 GMT+02:00 Greg Huber <gregh3...@gmail.com>: > ...Although it blocks the <welcome-file-list> file. > > <!-- Restricts access to pure JSP files - access available only via Struts > action --> > <security-constraint> > <display-name>No direct JSP access</display-name> > <web-resource-collection> > <web-resource-name>No-JSP</web-resource-name> > <url-pattern>*.jsp</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>no-users</role-name> > </auth-constraint> > </security-constraint> > > <security-role> > <description>Don't assign users to this role</description> > <role-name>no-users</role-name> > </security-role> > > <welcome-file-list> > <welcome-file>WEB-INF/jsps/index.jsp</welcome-file> > </welcome-file-list> > > On 16 June 2017 at 08:54, Lukasz Lenart <lukaszlen...@apache.org> wrote: > >> Great! I have added a ToC and pushed to the top :) >> >> http://struts.apache.org/security/ >> >> >> Regards >> -- >> Ćukasz >> + 48 606 323 122 http://www.lenart.org.pl/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
