Put all JSP pages that can't be accessed directly into a security constraint, only accessible by the role "nobody", which you will never add a user to. All accesses of JSPs will be through forwards from actions, which will not be blocked by that security constraint (unless you either have a broken web container or a Servlet 2.4 container where you've enabled auth on forward).
-----Original Message----- From: Jürgen Scheffler [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: JSP Protection Hi, how do i block URL guessing? if someone requests abc.com/secret_page.jsp he gets it. In my Action i check if the user object has the right rights for this action and then i forward him. But if guesses the jsp, he opens it. Help me! Jürgen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]