Hi,
I would like to block direct access to jsp files, and from what I've
read the best practice appears to be setting a security-constraint
within the web.xml file. (As opposed to storing all *.jsp files
within the WEB-INF folder, though please correct me if that's wrong).
I've currently tried using the following code to block *.jsp access:
<security-constraint>
<web-resource-collection>
<web-resource-name>no_access</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
</security-constraint>
... The effect of this code appears to be nothing, as I can still
gain acess to the jsp files stored within /pages/common/header.jsp for
example.
I have tried changing the url-pattern to "pages/*" (removing the
initial / character), though this blocks access to the entire web
module.
Any help / feedback appreciated.
Tim Christopher
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
