Home/ Questions/Q 7023675
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T23:44:27+00:00

I’m developing a web project with Java EE using JBoss 5. My WebContent folder

  • 0

I’m developing a web project with Java EE using JBoss 5. My WebContent folder has a .css file, used by all JSP (placed in other subfolders of WebContent). I want to forbid direct access to the .css file, but still be able to use it in my JSPs. I tried with 

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Direct access to .css forbidden</web-resource-name>
    <url-pattern>/Style.css</url-pattern>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

in web.xml descriptor, but this way JSPs are unable to use it.

Any ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Any attempt to hide the CSS used on a page from the end-user is completely pointless.

    You could check the HTTP_REFERER header and not display the CSS if it doesn’t match the page that embedded the style sheet.

    But not even that will help in modern browsers, where the CSS is visible in the DOM inspector, and clickable with the correct referer set.

    The browser needs to see the CSS in order to render it, hence there is no protection measure that will help. The best you can do (but it requires you changing your HTML) is obfuscate the CSS so there are no legible element names any more (e.g. .xweudhd instead of .top_navigation).

    But I would drop the idea altogether. There are more productive ways to spend one’s time.

    • 0