The way that I've done it is to proxy all requests through an action. If I need to access a JSP w/o going through an action, I've used a DefaultAction that is mapped to unknown (search the archives for more on this). Then you can protect /do/* (or .do*) in your web.xml.
You could also protect *.jsp but then you probably couldn't get to your login pages if you're using form-based authentication. HTH, Matt --- Dave J Dandeneau <[EMAIL PROTECTED]> wrote: > If you have high security requirements and you don't want to put your > jsps in the WEB-INF, then how should you do it? Can you use declarative > security to make sure no one accesses a jsp directly? > > thanks, > dave dandeneau > __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
