Hi Chris Thanks for your insight and reply.
cjb> I'd like to prevent users from requesting JSP pages directly, cjb> except for the login page. cs> Why except for the login page? I would include the login page cs> as something that should be fronted with a (non-JSP) servlet, cs> even if that servlet doesn't do anything right now. It gives cs> you great flexibility in the future. OK, that sounds reasonable. cjb> I want all requests to be handled by servlets. That way I can cjb> legitimately claim that all requests are being validated, input cjb> scrubbed, JSP's cannot be taken advantage of w/o their servlet cs> it's easy to put a servlet in front of everything that does cs> *not* provide everything above, but... let's just assume that's cs> all being competently done. Well, it is still a work in progress. cjb> a. One way I read is by adding a <security-constraint> for each cjb> folder. One use case is for JSP include files. That looks cjb> possible but makes it seem like these are exceptions and not cjb> the rule. I want "deny, deny, deny" to be the default and the cjb> one or 2 allowable JSP pages to be the exception. cs> This is certainly doable, but it's a lot of work, and you have cs> to maintain those blacklists as your application grows. Agreed, and yuck. cjb> b. Another way mentioned is by having most of the JSP files under cjb> the WEB-INF folder. That way the users don't have access to the cjb> JSP's but the servlets do. [...] Also, that would require moving cjb> most of the JSP files. cs> This is the way I've always seen it done, and the way I would cs> recommend that you do it. OK, gotcha. cs> It *does* require that you move all your JSPs, but that's a one-time cs> headache and it sets a precedent for the future of your project(s): cs> put all your JSPs under /WEB-INF. cs> You will of course also have to fix every include/forward that you cs> have in your application I was afraid of that. :-/ Looks like yet another round of refactoring. :-) cs> fix every include/forward that you have in your application to cs> include/forward to /WEB-INF/foo.jsp instead of just /foo.jsp. OK, thanks for letting me know how to do that. Will it work for both scriptlet <%@ include file="abc.jsp" %> and JSP <jsp:include page="abc.jsp" /> includes? -- Cris Berneburg CACI Lead Software Engineer