To protect your JSP, put them in a subdir of WEB-INF. Actions are still able to redirect to those JSPs but they are not direct accessible.
To protect your other files, just make a servlet and use path-mapping like '/resources/*' to map all requests to this servlet.
What kind of security breaches are JSPs susceptible to, once they protected by a security-constraint path mapping?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
