How to configure url mapping in web.xml to restrict access?

Question

I have few pages in following structure.

--Project
  |---WebContect
      |----Admin/ *
      |----Author/ * 
      |----Readonly/ * 
      |----Index.jsp

I want to restrict the user from accessing Pages under Admin,Author and Readonly. I don't want anybody to access these pages. And if somebody tries to do so, should be redirected to index.jsp.

The easiest solution that come in my mind is using a Filter, but I am trying to find if its possible to do using web.xml.

Answer 1

If you want that nobody is able to access those pages directly, just put them in /WEB-INF folder.

Project
 `-- WebContect
      |-- WEB-INF
      |    |-- Admin
      |    |-- Author
      |    `-- Readonly
      `-- Index.jsp

This way the pages are not publicly accessible, but only by a servlet which performs a forward. When the enduser attempts to access it directly, all he will get is a HTTP 404 error.

An alternative is configuring a role-less <security-constraint>.

<security-constraint>
    <display-name>Restrict direct access to certain folders</display-name>
    <web-resource-collection>
        <web-resource-name>Restricted folders</web-resource-name>
        <url-pattern>/Admin/*</url-pattern>
        <url-pattern>/Author/*</url-pattern>
        <url-pattern>/Readonly/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

When the enduser attempts to access them, all he will get is a HTTP 403 error.

Either way, it isn't possible to redirect the enduser to index.jsp this way. Only a Filter can do that. You could configure the index.jsp as error page location for 404 or 403

<error-page>
    <error-code>404</error-code>
    <location>/index.jsp</location>
</error-page>

But this would cover all 404's (or 403's), not sure if that is what you want.