Hi Louis Thanks for replying to my request for help. :-)
cjb> Due to security concerns and general fussiness on my part, I'd like cjb> to prevent users from requesting JSP pages directly [...]. That cjb> way I can legitimately claim that all requests are being validated, cjb> input scrubbed, JSP's cannot be taken advantage of w/o their cjb> servlet chaperones being present, etc. cjb> a. One way I read is by adding a <security-constraint> for each cjb> folder. One use case is for JSP include files. That looks possible cjb> but makes it seem like these are exceptions and not the rule. I cjb> want "deny, deny, deny" to be the default and the one or 2 allowable cjb> JSP pages to be the exception. lz> can't you create a Security Folder and list out only the JSPs lz> that you want to allow the users access to? My application is lz> a third party application so I didn't develop it but they use lz> a folder that has a list of .jsps that I can access so I assume lz> they have set it up in the code. It sounds like you're suggesting something like option (a), using security constraints linked to folders. lz> Or am I just telling you the end state that you want to achieve lz> without actually coding suggesting any coding for you? Yeah, that's an end-state, and the security folder would be one possible method of getting there. -- Cris Berneburg CACI Lead Software Engineer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org