> It appears that there is no standard way to do this even though > it's implied in the spec.
I don't know how standard this is but it works. The trick is in the auth-constraint node (note the commented out role-name). Since it is exclusive. Not declaring a role-name for the protected resource denies access to everyone. You then catch the 403 error with an error page mapping and you're good to go. The JSPs can still be accessed from the request dispatcher so you can reach them through the MVC pattern. I suppose a simpler solution would be simply to create a servelet-mapping with a url pattern of *.jsp and map it to an error servlet. If you want to test this out quickly grab the SimpleMVC.war from http://simple.souther.us and replace the web.xml file with this one. You'd have to create your own no-jsp-4-u.html page. Hope it helps -Ben <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <servlet> <servlet-name> ControllerServlet </servlet-name> <servlet-class> us.souther.simple.mvc.ControllerServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>ControllerServlet</servlet-name> <url-pattern>/simple-mvc</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name> off-limits </web-resource-name> <url-pattern> *.jsp </url-pattern> </web-resource-collection> <auth-constraint> <!--<role-name> manager </role-name>--> </auth-constraint> </security-constraint> <error-page> <error-code>403</error-code> <location>/no-jsp-4-u.html</location> </error-page> </web-app> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]