I am trying to configure my application so that everything has to be encrypted. I was able to do that by using the security constraint at the bottom of this message. I've had this working for awhile without a problem. However, now, I want to add an additional restriction. I want to make it so that users can't access .jsp files directly. So, I added an additional security-constraint. However, it doesn't work. The only way I can get the .jsp constraint to work is if I comment out the other one. I've tried changing the order of the constraints and that doesn't make a difference.
What am I doing wrong? Why doesn't it merge the two constraints together? It appears to just pick the most general case and go with that one. <security-constraint> <web-resource-collection> <web-resource-name>x</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>y</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Jon --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
