I'm trying to prevent people typing image.jpg in the url to go to the image directly.
Ok, thats what I was talking about, Tomcat will only serve images directly from the main web application directory. Put you images somewhere else and create a servlet to send them after checking for a valid user.
Bill