i have two questions:
1. i want to disable any user to navigate through the application while specifying a URI.
for example my app is http://myapp, now i need to restrict any user to navigate to any URI under the application manually such as http://myapp/print
2. i am installing the application on a server that is accessible by other people, i need to hide my classes on the server from being read/altered. is there any method?
1. You cannot literally stop someone from typing in any URL they want into their browser, but you can very definitely control what they get back when they do. The easiest and most secure way to do that is to use the Contrainer-Managed security system that's defined as part of the J2EE and JEE standards. This system allows you to assign security roles to users and to map which URLs are allowed access from which roles. So, for example, if I wanted to access http://superwebapp/app/supervisor/delete_account.jsp, but it required an "admin" or "manager" role and I wasn't assigned either of those roles, then the standard response would be a page with "HTTP 403 Forbidden" on it instead the delete_account page.
If you mean "browse urls like a filesystem". web servers are not file servers, so they don't do that anyway. The closest you would get would be if the webapp resource path was mapped to an index-display function and that's no problem to fix.
2. If your server runs Microsoft Windows, then security is sort of hit and miss, since any any given time, one and only one user "owns" the server and access to resources is set by the system administrator. On Unix-like systems like MacOS and Linux, which are true multi-user systems, then you can keep people from seeing anything inside of Tomcat including Tomcat itself simply by giving Tomcat its own private userid and security group. If you do that then only people authorized to login or change their user ids to be the Tomcat ID can access those files via the filesystem, and since webapp classes have to be located within the webapp's WAR WEB-INF/classes directory, they can't use HTTP to see them either (since Tomcat will never serve up the WEB-INF folder or directories/files under it). At that point the only way someone could snoop would be if they had root privileges, and not even then if you set up sufficiently nasty selinux controls.
Being persecuted doesn't in any way prove your righteousness or your beliefs. Many people get persecuted because they are repugnant or annoying. Or just because they can be.
She'll be back. I'm just gonna wait here. With this tiny ad: