You could always position your jsp's inside the WEB-INF dir.... This will enable you to access them only through server redirects rather than absolute url's
Sharon -----Original Message----- From: Kiran Badi [mailto:ki...@poonam.org] Sent: Tuesday, June 19, 2012 3:10 AM To: Tomcat Users List Subject: Protect JSP from Direct Access in Tomcat 7.0.xx Hi All, I need your guidance again.I have bunch of JSP's close to 100+ which I need to protect it from direct access. I have this mapping in web xml and this is not working,It seems that probably i need to define a role first and then use below settings.But unfortunately my app is open internet application which does not use realm at all. <security-constraint> <display-name>DenyAccesstoDirectJSP</display-name> <web-resource-collection> <web-resource-name>sample.jsp</web-resource-name> <description>Sample confirmation JSP</description> <url-pattern>*.jsp</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint> All my jsp's are residing in the webpages folder of project directory.I know this is incorrect and probably gives direct access to jsp's. So I have some clarification to ask, 1. is their a way to tell tomcat to not to serve direct jsp's probably via web xml 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. - Kiran --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org