Hello everyone, does the Servlet spec offer any means to deny remote access to all resources of a specific type (let's day *.include), but allow to include()/forward() them from another Servlet in the same context? Regards, Andreas
I don't recall the spec saying anything about this specifically. However, there are some solutions. You could place the included files in a protected directory, denying all privileges through your web.xml settings (you could still include and forward I believe).
Thanks for your reply. Adding <security-constraint> <web-resource-collection> <url-pattern>*.include</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> to web.xml works as expected. Regards, Andreas