Due to standards beyond my control I had to move my jsps from beneath /WEB-INF/jsp to /jsp. In order to prevent access to my jsps I added a security-constraint, blocking access to the jsps. Unfortunately, now none of my tiles display properly, instead I get the error message: [Exception in:/jsp/body/home_body.jsp] Response has already been committed for all the protected pages. The problem is that for each protected page, its trying to authenticate the user using the FORM authentication that I have set-up (this is a separate security-constraint from the jsp protection). All I want to prevent is direct access to the jsp, not access through other means (e.g. action/tile). Thanks.