Marks, Thanks for the info, originally I was using just index.jsp, but this also gets blocked with a 403:
<welcome-file>index.jsp</welcome-file> I will look into the servlet suggestion. Cheers Greg On 19 June 2017 at 10:39, Mark Thomas <ma...@apache.org> wrote: > On 19/06/17 08:24, Greg Huber wrote: > > Hello, > > > > If I add a security constrait to block direct access to jsp outside of > > /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for > > using this here? > > Your welcome file is invalid. It should be a file name without a path. > Remember it applies to all directories, not just the web application root. > > Security constraints apply to welcome files. > > You'll need to use a servlet to do a forward to "WEB-INF/jsps/index.jsp" > > Mark > > > > > > <!-- Restricts access to pure JSP files - access available only via > Struts > > action --> > > <security-constraint> > > <display-name>No direct JSP access</display-name> > > <web-resource-collection> > > <web-resource-name>No-JSP</web-resource-name> > > <url-pattern>*.jsp</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>no-users</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-role> > > <description>Don't assign users to this role</description> > > <role-name>no-users</role-name> > > </security-role> > > > > <welcome-file-list> > > <welcome-file>WEB-INF/jsps/index.jsp</welcome-file> > > </welcome-file-list> > > > > Cheers Greg > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >