If you want to restrict users from directly accessing JSP's in your application , like when users directly type the url of the JSP in the browser without logging in.
In this scenario you have 2 options ->
Option 1) Put all JSP's under WEB-INF folder.
Option 2) Write the following code in web.xml file.
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>No direct access to JSP files</description>
<url-pattern>*.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>No direct browser access to JSP files</description>
<role-name>NobodyHasThisRole</role-name>
</auth-constraint>
</security-constraint>
Note: In the above code snippet you need to give the exact location of your JSP's ->
<url-pattern>*.jsp</url-pattern>
or
<url-pattern>/Folder Name/*.jsp</url-pattern>
In this scenario you have 2 options ->
Option 1) Put all JSP's under WEB-INF folder.
Option 2) Write the following code in web.xml file.
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>No direct access to JSP files</description>
<url-pattern>*.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>No direct browser access to JSP files</description>
<role-name>NobodyHasThisRole</role-name>
</auth-constraint>
</security-constraint>
Note: In the above code snippet you need to give the exact location of your JSP's ->
<url-pattern>*.jsp</url-pattern>
or
<url-pattern>/Folder Name/*.jsp</url-pattern>
