I've read that you can secure direct access to a JSP by placing it in the WEB-INF directory. I know you can also secure direct access to a JSP by creating a security constraint using URL patterns and assigning role names that do not exist.
I've also "heard" that when you secure a URL using a security constraint, that you are not securing the "resource". Most of the time I struggle with the semantics of the words people choose to use when discussing certain points. Is there a difference between securing the URL and securing the "resource"? Leo Donahue
