Hi Woonsan Thanks for providing an "option C". :-) There is still much for me to learn.
cjb> Due to security concerns and general fussiness on my part, I'd like cjb> to prevent users from requesting JSP pages directly [...]. That cjb> way I can legitimately claim that all requests are being validated, cjb> input scrubbed, JSP's cannot be taken advantage of w/o their cjb> servlet chaperones being present, etc. cjb> a. [...] adding a <security-constraint> for each folder. cjb> b. [...] JSP files under the WEB-INF folder. wk> c. Implement a servlet filter which is mapped to /* with dispatcher wk> options: REQUEST, INCLUDE, FORWARD. The filter may check the request wk> URI or include/forward URI (through request attributes). While I have a general idea of what you mean, I don't know how to implement that. Is that a standard practice? -- Cris Berneburg CACI Lead Software Engineer