How can you prevent users from accessing a JSP directly that is designed to be used from an Action?

Ted Husted

Put those JSP pages in a directory under WEB-INF; for example, WEB-INF/jsp. Files under the WEB-INF directory cannot be directly accessed. Another approach is supported by the servlet API if you are using container-managed security for your application. You can define a security constraint that lists no roles as being allowed, which the servlet container will interpret as not allowing access to anyone directly from a request. You can forward to (or include) such a page -- just not request it directly.

Note that this behavior was not clearly specified in the 2.2 servlet spec, so your mileage might vary there -- but all 2.3 containers are required to act this way.

Consider the following security constraint:<security-constraint>

<web-resource-name>All JSP Pages</web-resource-name>

In a servlet 2.3 container (such as Tomcat 4.0), this is interpreted to mean that there is no direct access at all to any URL like:


but you are allowed to use a request dispatcher to access them. This is because security constraints are to be checked only on the *original* URL, not on the forward/include. Thus, if you want to ensure that a page is accessed only via the controller servlet, you can give it a URL path within the "pages" subdirectory, and the container will take care of this for you.