Just noticed this now, you can't directly access
jsp's inside WEB-INF, so only we keep jsp inside WEB-INF, so its secure.. take the redirect.jsp out and put in WebContent. Also, post that redirect.jsp and also post the server logs when the application is deployed.