> > ________________________________ > > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > > <web-app> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Everything</web-resource-name> > > <url-pattern>*.jsp</url-pattern> > > <url-pattern>*.html</url-pattern> > > <url-pattern>*.js</url-pattern> > > <url-pattern>/Servlet1</url-pattern> > > <url-pattern>/Servlet2</url-pattern> > > </web-resource-collection> >
Jeffrey, why don't you just use "catch all" url pattern? Is there anything that you don't want to be part of the same security constraint? In this case security constraint just enforces SSL, but could do other things, check roles, etc. In that case you might want to split secure and non-secure resources ... (e.g. login page should not be secure and login action should be secure, etc...) What are you trying to achieve? Cheers! Neven > > > Also willing to entertain critiques on my security-constraint section, > > but not that we don't use Tomcat authentication, so I want any > > requests for top-level files in the Web directory to also force https. > > >