David Thanks for taking the time to reply. :-)
cjb> Due to security concerns and general fussiness on my part, I'd like to cjb> prevent users from requesting JSP pages directly [...]. That way I can cjb> legitimately claim that all requests are being validated, input scrubbed, cjb> JSP's cannot be taken advantage of w/o their servlet chaperones being cjb> present, etc. dw> JSPs are servlets. dw> For us, the common way would be for your non-JSP servlets to authenticate dw> the request (and save the results in the request), and then your JSPs can dw> check if the request has been authenticated before progressing further. dw> Of course, if it's just a login check, you can save the results of the dw> authentication in the session, and when missing, redirect to your login. It's more than just initial authentication, which the application does perform. I want to: 1. Prevent users from requesting pages directly to: a. Prevent errors due to missing query data from bypassed process. b. Reduce the application's attack surface size. 2. Hide JSP's from security scanning software. Again, shrinking the app's attack surface. See Chris Shultz's reply about MVC, which captures my concerns most eloquently. -- Cris Berneburg CACI Lead Software Engineer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org