Since you don't like that you might try this. Set security-constraints for all the file types you want to protect.
Then do NOT set an auth-constraint for it. Thus no one will be able to access it from outside.
Thanks Doug, that's the ticket.
Here's what I came up with:
I created a "page not found" html doc.
I then modified web.xml and
a) created a security constraint for the url pattern "*.jspsegment", with auth-constraint of "blockaccess"
b) created the role "block access" with no users
c) set login-config to use the "FORM" auth-method, specifying the custom "page not found" doc. for the login page - as it does not have any actual functionality, and no one has the blockaccess role, files with the extension "jspsegments" will never be served. Fun!
(You can do this without the "not found" form, but then you see a tomcat-generated error rather than a more generic / app-specific message. Also, set this as your custom error page and any nosey types shouldn't be able to tell they've actually specified an existing page)
PS Unless I am mistaken the file structure is controlled by the servlet spec. Thus Tomcat has no control over this feature.
You are correct - I was just being cranky.
thanks -Steve
Here the additions to web.xml:
--%<----- (snip)
<error-page>
<error-code>404</error-code>
<location>/PageNotFound.html</location>
</error-page> <security-constraint>
<web-resource-collection>
<web-resource-name>jspsegment direct access</web-resource-name>
<url-pattern>*.jspsegment</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>blockaccess</role-name>
</auth-constraint>
</security-constraint> <security-role>
<role-name>blockaccess</role-name>
</security-role> <login-config>
<auth-method>FORM</auth-method>
<realm-name>notfound</realm-name>
<form-login-config>
<form-login-page>/PageNotFound.html</form-login-page>
<form-error-page>/PageNotFound.html</form-error-page>
</form-login-config>
</login-config>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
