A little background:

I have Front-Controller Servlet that fowards all requests to jsp's located outside the application war. So, for example, http://localhost/myapp/test.jsp is actually a jsp located at (on windows) c:/content/client1/pages/test.jsp. I accomplish by doing the following:

ServletConfig currentConfig = getServletConfig();
ServletContext otherContext = currentConfig.getServletContext().getContext("/otherapp");
RequestDispatcher dispatch = otherContext.getRequestDispatcher(page);
dispatch.forward(request, response);

The issue is that I have the following in my web.xml:

...
<servlet>
<servlet-name>FrontServletController</servlet-name>
<servlet-class>com.diginsite.product.webcenter.website.FileController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FrontServletController</servlet-name>
<url-pattern>*.jsp</url-pattern>
</servlet-mapping>
<jsp-config>
 <jsp-property-group>
 <url-pattern>*.jsp</url-pattern>
 <scripting-invalid>true</scripting-invalid>
 </jsp-property-group>
 </jsp-config>
...

However, the c:/content/client1/pages/test.jsp file does contain a scriptlet and it is working fine.

I've attempted changing the url pattern of the jsp-property-group directly to /*/*/*/test.jsp with no luck as well as changing the url-pattern of the servlet to *.myext.

-------------------------------------------------------------------------------------

Since the "otherapp" doesn't contain a web.xml I decided to try and modify the $JBOSS_HOME/server/myapp/deploy/jbossweb-tomcat55.sar/conf/web.xml to include:

<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<scripting-invalid>true</scripting-invalid>
</jsp-property-group>
</jsp-config>

This doesn't work either. Any other ideas of how I can prevent any jsp from containing scriptlets.