How to forbid all access to a URL
From Resin 3.0
With Resin 4.0, you can deny all access to a set of URLs, i.e. allowing behavior just like WEB-INF and META-INF
<web-app xmlns="http://caucho.com/ns/resin" xmlns:sec="urn:java:com.caucho.security"> <sec:Deny> <sec:url-pattern>/hidden/*</sec:url-pattern> <sec:url-pattern>/more-hidden/*</sec:url-pattern> </sec:Deny> </web-app>