The easiest way is to simply put the JSP pages that you want to deny direct access to someplace under the WEB-INF directory. Direct access to anything under this if forbidden, but your controller is still allowed to forward or include.
A less good solution is to specify a security-constraint for these pages that requires the role, say 'forbidden' (that no user actually has). The drawback of this is that the user will be asked to login before being denied access to the page. Of course, if your goal is to annoy hackers, you might even prefer this one ;-). "Lee W" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi Everyone, > > After some good advise from members of this lists (thanks again) I have > started learning about servlets. > > I have created a simple servlet that act as a controller in my webapp, > this is where all requests get sent to. However I have not been able to > find a way to stop users from getting to the .jsp files that the servlet > uses for the presentation element. > > I know that I could use Tomcat along with Apache HTTP server to restrict > access to the JSP pages but I was wondering if anyone knew how to > specify in the web.xml file that users should not be able to get to the > jsp's but the servlets (and jsp's can access other jsp's via include or > forward). My reading of the docs on the tomcat website and by STW have > not yielded any suggestions. > > Thanks again. > > Regards > > Lee --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
