To add more security to our Web Application we will: A) add an error.jsp so Java exceptions and 404 pages do not output a Stack Trace from the AddingSecurity.zip copy the error.jsp to the src/main/webapp folder B) make changes to the web.xml to add the error pages for a HTTP 404 and java.lang.Throwable that will point to the new error.jsp page C) add a element to the web.xml to require HTTPS and change the Session to use HTTPS, please note the first time you run the web appl a popup will appear asking you to approve this "self-signed" HTTPS connection from the AddingSecurity.zip replace the existing to the src/main/webapp/WEB-INF/web.xml with the web.xml from the zip file D) JBoss defaults to an older version of Log4J and that version has security vulnerabilities, so we have a jboss-deployment-structure.xml file the tells JBoss not to use the built-in Log4J for out web application (this is already in our CustomerWeb project in the src/main/webapp/WEB-INF folder) E) next I will update my session configuration to use the HTTPS connection ONLY true