Hiding JSPs from Public Access!?!?!

[Tim Coultas <tc...@helper.com>]

Folks -

I have run into the common problem where visitors can get at my jsp files
even though I have set up log-in system of security using a central "traffic
circle" servlet that forwards users to jsp pages.

I have the servlets residing in a directory named jsp under the main context
directory.

However, a visitor can get the jsp pages by going to:

http://www.website.com/context/jsp/filename.jsp

I have tried to cut off access by placing this directory in the WEB-INF
directory, but I can still get to it at the URL above.  Also, I have tried
to just dump all of the .jsp's into the WEB-INF directory (and not place
them in a sub-directory) and I can STILL get to them by at the URL above.

I have also tried to edit the web.xml security section by entering something
like "<url-pattern>/jsp/*</url-pattern>" and
"<url-pattern>/jsp/filename.jsp</url-pattern>" but this does not have any
effect.

How the heck do I do this?????

Has anyone been able to do it?????????

Thanks.

Tim Coultas