I think, the web.xml security constraint is for direct access from client.
|BSc in Electronic Eng| |SCJP 6.0 91%| |SCWCD 5 92%|
Joined: Jan 24, 2003
That appears to be true. I found this.
Security constraints work only on the original request URI and not on calls made through a RequestDispatcher (which include <jsp:include> and <jsp:forward>). Inside the application, it is assumed that the application itself has complete access to all resources and would not forward a user request unless it had decided that the requesting user also had access.