That is exactly how I want to do it. In fact, if you look at my original message I describe what you recommend almost exactly.
Anyhow, I finally created a VERY simple security example web app with the following web.xml: <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <description>Simple Security Example</description> <display-name>Simple Security Example</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <error-page> <error-code>403</error-code> <location>/403.jsp</location> </error-page> <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/secure/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> </web-app> And it work! Yeeehawwww! Thanks for the help and discussion Ben. /robert > -----Original Message----- > From: Ben Souther [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 14, 2004 10:35 PM > To: Tomcat Users List > Subject: RE: [newbie] Container Managed Security - preventing direct > accessto .jsp > > > > It appears that there is no standard way to do this even though > > it's implied in the spec. > > I don't know how standard this is but it works. > The trick is in the auth-constraint node (note the commented out > role-name). > Since it is exclusive. Not declaring a role-name for the protected > resource denies access to everyone. > > You then catch the 403 error with an error page mapping and you're good > to go. > > The JSPs can still be accessed from the request dispatcher so you can > reach them through the MVC pattern. > > I suppose a simpler solution would be simply to create a > servelet-mapping with a url pattern of *.jsp and map it to an error > servlet. > > If you want to test this out quickly grab the SimpleMVC.war from > http://simple.souther.us and replace the web.xml file with this one. > You'd have to create your own no-jsp-4-u.html page. > > Hope it helps > -Ben > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > <web-app xmlns="http://java.sun.com/xml/ns/j2ee" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" > version="2.4"> > > <servlet> > <servlet-name> > ControllerServlet > </servlet-name> > > <servlet-class> > us.souther.simple.mvc.ControllerServlet</servlet-class> > </servlet> > > <servlet-mapping> > <servlet-name>ControllerServlet</servlet-name> > <url-pattern>/simple-mvc</url-pattern> > </servlet-mapping> > > <security-constraint> > <web-resource-collection> > <web-resource-name> > off-limits > </web-resource-name> > <url-pattern> > *.jsp > </url-pattern> > </web-resource-collection> > <auth-constraint> > <!--<role-name> manager </role-name>--> > </auth-constraint> > </security-constraint> > > <error-page> > <error-code>403</error-code> > <location>/no-jsp-4-u.html</location> > </error-page> > </web-app> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]