To turn off JSP access in your JBoss or other favorite application server add this to your web.xml.
<!-- Restrict direct access to jsps --> <security-constraint> <web-resource-collection> <web-resource-name>you_cant_touch_this</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
To prevent Apache from sending JSP requests to JBoss add the following to your configuration.
## DISALLOW FROM REACHING JBOSS (security-related filter): !/*.jsp=name_of_your_app !/*.xml=name_of_your_app