Hi!
First, you have to consider storing all
jsp file inside a directory like this �/ /WebContent/WEB-INF/jsp/ to avoid direct request to jsp, you can access jsp via an action mapping:
<action path="/viewLogin"
type="org.apache.struts.actions.ForwardAction"
parameter="/WEB-INF/jsp/login.jsp" />
or
<action path="/viewLogin"
forward="/WEB-INF/jsp/login.jsp"/>
Remember, to ensure MVC every request must go through request processor, and this way you can implement more complex authentication and authorization levels of security.
Second, are you using container or application-managed security? Are you using filters, custom request processor, base action or custom tag?
Check O�Reilly Jakarta Struts Cookbook, there is a complete chapter about securing struts applications.