Prevent static pages from being served by Tomcat

Guys,

I have a web application that has a couple of folders that contain static content (like javascript, css and a couple of jsp pages). I need to prevent direct access from outside to these files. I'm sure this must have been done by others a zillion times. What I want to know is that, is it a good idea to let this task to Apache web server or better to Tomcat?

If you prevent outside access, then the browser can't load the files either.

In other words, you can't. What are you really trying to accomplish?

I have some css files and javascript files directly under my web application root. When the user calls http://mywebapp.com/js/main.js, it would render the js and I want to avoid this.

Sorry, but if the browser can't read the files, what good are they?

But the browser need not access it directly. Only the jsp page that the user requests will have access to those static files. But at the same time, I do not want to put them under WEB-INF.

Joe Harry wrote:But the browser need not access it directly.

Yes, it must. There is no difference between an HTML page requesting a resource and requesting it via the address var, The request is identical. You cannot prevent one without the other.

Only the jsp page that the user requests will have access to those static files

Incorrect, The JSP doesn't do anything except execute on the server to generate an HTML page. It's the HTML that then causes the browser to request any resources referenced within it.

But at the same time, I do not want to put them under WEB-INF.

Whether you want to or not is irrelevant. If you put them under WEB-INF, they cannot be used. So it's a moot point.