Thanks Wendy,
I found the following code from struts user list archive and it does what I
want. I'm not sure why I couldn't get WEB-INF to work but this may be a
better solution all in all.
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureAllJSPs</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>
Protects all JSP files from direct
access. Clients
must go through the controller servlet.
</description>
<role-name>nobody</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>No one should be put in this
role.</description>
<role-name>nobody</role-name>
</security-role>
Ken
-----Original Message-----
From: Wendy Smoak [mailto:[EMAIL PROTECTED]
Sent: Friday, February 21, 2003 4:20 PM
To: 'Tomcat Users List'
Subject: RE: Mapping .jsp to controller servlet
> I've found a workaround for the time being. Each .jsp page has access to a
> bean that includes login info. I changed jsp page to test to see if the
> login flag is true. If so nothing happens. If not then I use jsp:forward
to
> send it back to the login.jsp page.
> So this will work until I feel ready to explore filters.
Search the Struts user list for options as this comes up repeatedly there.
In some cases, if the users don't go through the controller servlet then
things don't work right.
In addition to putting the JSP's under WEB-INF, another method I've seen
described is to configure security to protect all JSP's with a role like
"nobody" and then don't assign anyone to that role.
--
Wendy Smoak
Applications Systems Analyst, Sr.
Arizona State University PA Information Resources Management
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
