Tested it again tomcat (8.5.15), definitely a 403. Will see if I can find some more info.
On 19 June 2017 at 08:04, Lukasz Lenart <lukaszlen...@apache.org> wrote: > Did you test that? I think <welcome-list/> ignore security constraints > ... or maybe it was just Jetty ;) > > 2017-06-16 10:50 GMT+02:00 Greg Huber <gregh3...@gmail.com>: > > ...Although it blocks the <welcome-file-list> file. > > > > <!-- Restricts access to pure JSP files - access available only via > Struts > > action --> > > <security-constraint> > > <display-name>No direct JSP access</display-name> > > <web-resource-collection> > > <web-resource-name>No-JSP</web-resource-name> > > <url-pattern>*.jsp</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>no-users</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-role> > > <description>Don't assign users to this role</description> > > <role-name>no-users</role-name> > > </security-role> > > > > <welcome-file-list> > > <welcome-file>WEB-INF/jsps/index.jsp</welcome-file> > > </welcome-file-list> > > > > On 16 June 2017 at 08:54, Lukasz Lenart <lukaszlen...@apache.org> wrote: > > > >> Great! I have added a ToC and pushed to the top :) > >> > >> http://struts.apache.org/security/ > >> > >> > >> Regards > >> -- > >> Ćukasz > >> + 48 606 323 122 http://www.lenart.org.pl/ > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > >> For additional commands, e-mail: dev-h...@struts.apache.org > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > >
