How to protect direct calling of jsp

In web.xml, you can add this security-constraints.

<security-constraint>
    <display-name>JSP Protection</display-name>
    <web-resource-collection>
      <web-resource-name>SecureJSPPages</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>nobody</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <description>
      Nobody should be in this role so JSP files are protected from direct access.
    </description>
    <role-name>nobody</role-name>
  </security-role>

Sometime, some servlet or jsp may be not protected.

  <security-constraint>
    <display-name>JSP Protection</display-name>
    <web-resource-collection>
      <web-resource-name>SecureJSPPages</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>nobody</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <display-name>NOT JSP Protection</display-name>
    <web-resource-collection>
      <web-resource-name>NOTSecureJSPPages</web-resource-name>
      <url-pattern>/common/L7check.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
  </security-constraint>
 
  <security-role>
    <description>
      Nobody should be in this role so JSP files are protected from direct access.
    </description>
    <role-name>nobody</role-name>
  </security-role>

참조
http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/4/html/J2EE_Declarative_Security_Overview-Web_Content_Security_Constraints.html

http://java.sun.com/xml/ns/j2ee/

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd