hey, just to make it sure the <url-pattern> of <security-constraint> includes the url which will have security restrictions?
posted 14 years ago
Yes, though "... it is important to note that the url-pattern applies only to clients that access the resources directly. In particular, it does not apply to pages that are accessed through the MVC architecture with a RequestDispatcher or by the similar means of jsp:forward." Please see Marty Hall.