Shouldn't there be an authconstraint in there? <auth-constraint/>, or something like that? Can't remember exactly.
Looks to me like you have defined the resource but not declared who (in this case nobody) has access to it. Erik -----Original Message----- From: Neil Aggarwal <[EMAIL PROTECTED]> Sent: Jul 14, 2005 3:48 PM To: 'Struts Users Mailing List' <user@struts.apache.org> Subject: Security constraint not working Hello: According to this page: http://www.javaworld.com/javaworld/jw-09-2004/jw-0913-struts.html In order to prevent people of accessing jsp pages directly without using my struts controller, I added this to my web.xml: <!-- Do not allow users to load jsps directly --> <security-constraint> <web-resource-collection> <web-resource-name>no_access</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> </security-constraint> I added it and I can still load a page with the url to the jsp. Here is an example: http://dev.rentclubs.com/rentclubs/howWeStarted.jsp Any ideas? Thanks, Neil -- Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com FREE! Valuable info on how your business can reduce operating costs by 17% or more in 6 months or less! http://newsletter.JAMMConsulting.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]