tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Souther <>
Subject RE: [newbie] Container Managed Security - preventing direct access to .jsp
Date Wed, 15 Dec 2004 03:34:55 GMT
> It appears that there is no standard way to do this even though
> it's implied in the spec.

I don't know how standard this is but it works.
The trick is in the auth-constraint node (note the commented out
Since it is exclusive. Not declaring a role-name for the protected
resource denies access to everyone.

You then catch the 403 error with an error page mapping and you're good
to go.  

The JSPs can still be accessed from the request dispatcher so you can 
reach them through the MVC pattern.

I suppose a simpler solution would be simply to create a
servelet-mapping with a url pattern of *.jsp and map it to an error

If you want to test this out quickly grab the  SimpleMVC.war from and replace the web.xml file with this one.
You'd have to create your own no-jsp-4-u.html page.

Hope it helps

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns=""

      <!--<role-name> manager </role-name>-->

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message