secure display of html pages from a tomcat application

i have a tomcat application running fine under IIS6, Tomcat 5.5.2 and Jakarta Redirector.
Once connected with a userid and password, this application is using a rich interface build with Adobe Flex to display HTML pages in iframes which are dynamically created and deleted by the application.
these HTML pages (and other stuff like flash swf files called by these HTML pages) are stored in a "content" folder which is located under the root folder of the tomcat application.
the problem is that currently the user can directly access the html pages without login to the application. he just needs to type "http://application_URL/contents/page.html " and he can see it.
which configuration should i use so this is no longer possible and people can see the html pages only once connected to the tomcat application?

Welcome to JavaRanch.

The easiest way would be to use form authentication (or basic authentication) along with a Tomcat Realm.

Thanks for the tip. I have been through the documentation and set up a memory realm. It works but not exactly as expected. Now, whether I access the page directly with its URL or through the Tomcat application, I get the login form which protects access to this page.

I would like to configure the Tomcat application so, whoever is logged in the application, the application is seen as "userX", userX beeing granted access through the memory realm.

Is it possible, and how?

That's how it's supposed to work. Otherwise people could just slide around behind the scenes and defeat application security like is so often the case when people invent their own security systems instead of using the built-on one.

To truly hide a resource, put it under the WEB-INF directory and have some internet resource like a servlet handle actually presenting it to the user.

Container-based security architecture says that until the user had been logged in, the user id as supplied in the HttpServletRequest object will be null. Once logger in, the request object will contain the user's login ID. To log out, invalidate the session object and further requests will again have a null user ID.

The container-managed security system is a transparent wrapping mechanism, so whether you're using the memory realm, a jdbc realm or an LDAP realm, the application won't know which one you're using.