Hi I'm not sure if I understand the question correctly. But you are not supposed to put viewable pages to WEB-INF folder. WEB-INF folder contains normally java classes, jar libraries and configuration files put nothing that is supposed to go to the client. JSP pages are put to webapp folder or to subfolder of webapp (other than WEB-INF).
Joined: Apr 25, 2004
Usually some pages are kept within the WEB-INF folder, this however, is to apply security to the pages.
Joined: Apr 15, 2008
Ah yes. I've read about that. But isn't that non standard feature that not all webcontainers allow? How about applying security constraints to normal folder instead (with web.xml)?
Well I really am not familiar with this subject so I will shut up now
The servlet specification makes it clear that nothing gets served out of WEB-INF. So it's not possible to access JSP pages inside of WEB-INF directly, e.g. by entering their URL into a browser.
What is possible is to use those JSP pages indirectly, e.g. by including them or forwarding to them using a RequestDispatcher. I would imagine that that's what the JSF page-navigation does (not sure about it, though).
Personally I strongly discourage trying to serve JSP files from the WEB-INF directory. Since support for this is not defined in the specification it cannot be guaranteed and may change between servers or versions (some versions of Tomcat prevent this)
If you want to prevent direct access to JSPs or other resources in production, consider doing it through Apache.