J2EE Core Patterns assents that any internal redirection to a resource, such as from a servlet to a JSP page, bypasses the security settings declared in the web.xml file for the resource target. It goes on then to suggest that by declaring security access for the targetted resource in web.xml only for a role which there are no members prevents direct access to the target JSP unless it has been redirected internally via a servlet.

Now, I had the idea that if this kind of security feature was a requirement for the application, a quick (possibly dirty?) solution would be to declare the security for the resource as above, and also declare FORM style authentication as opposed to BASIC or DIGEST. Now, of course one must also declare and provide the login and error pages in web.xml. However, rather than using the so called login page as a form - we simply use it as a redirect to the servlet controller. This invokes an immediate redirection without the need for actual authentication.

I can't see any issues that would stand in the way of this working, but it is an "all or nothing" approach which might just work in some situations where access to the JSP resource directly is verbotten. Does anyone have any thoughts or alternatives?