Hi, My ligin.html file sends the username and password to a servlet to validate. the servlet must return a .html file if the uername and password is correct. The user must be able to accesss the .html file only if he has logged in. I am not able to accomplish this part, because when my servlet is returning the .html file the entire URL of the file is displayed in the browsers location bar. Therefore, the URL can be copied and pasted in another browser and the .html file will be displayed. Could you tell me how to solve this problem? thanks in advance
Hans Bergsten, in his book JavaServer Pages (O'Reilly) http://www.amazon.com/exec/obidos/ASIN/156592746x/electricporkchop suggests a way of protecting HTML static resources or JSPs from being viewed the way you say. You'd have to code something like this in the web.xml file: <security-constraint> <web-resource-collection> <url-pattern>yourSecretPage.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>nobody</role-name> </auth-constraint> </security-constraint> DON'T assign any user to the "nobody" role. Then use a RequestDispatcher to get to the page. Since dispatching a Request is an internal affair, the constraint doesn't have any effect, but no one will be able to "cut and paste" a URL to get to the page.
Tony Alicea Senior Java Web Application Developer, SCPJ2, SCWCD