Due to security concerns and general fussiness on my part, I'd like to prevent users from requesting JSP pages directly, except for the login page. I want all requests to be handled by servlets. That way I can legitimately claim that all requests are being validated, input scrubbed, JSP's cannot be taken advantage of w/o their servlet chaperones being present, etc.
a. One way I read is by adding a <security-constraint> for each folder. One use case is for JSP include files. That looks possible but makes it seem like these are exceptions and not the rule. I want "deny, deny, deny" to be the default and the one or 2 allowable JSP pages to be the exception. b. Another way mentioned is by having most of the JSP files under the WEB-INF folder. That way the users don't have access to the JSP's but the servlets do. My understanding is a little wobbly here, because I can't conceptualize the virtual path for files under WEB-INF when sending a response. (See line of code below.) Also, that would require moving most of the JSP files. > request.getRequestDispatcher("folder/file.jsp"); // what about WEB-INF? Is there a "smart" way of doing this? Perhaps it would have been prudent to organize the JSP folders "properly" in the first place, but we're way beyond that now. Got any comments, suggestions, advice? Thanks. :-) -- Cris Berneburg CACI Lead Software Engineer