File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSP and the fly likes Hiding jsp pages behind WEB-INF Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Hiding jsp pages behind WEB-INF" Watch "Hiding jsp pages behind WEB-INF" New topic

Hiding jsp pages behind WEB-INF

david allen
Ranch Hand

Joined: Sep 27, 2002
Posts: 185
Hi all,

I would like to hide all of my jsp pages behind WEB-INF so they can not be accessed by a user if they type the url into the a browser.

Is this possible?

If it is and I do put them behind WEB-INF do I have to register servlet.xml?

Any pointer would be appreciated

thanks david
Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
Files placed under WEB-INF are not directly accesible to the browser/client. Since the browser needs to render the JSPs, they can not be put there.

You should be able to use servlet mapping to achieve what you want to do.

So much trouble in the world -- Bob Marley
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

You have changed your display name from one which is valid to one which ... is not.

Please change it back immediately, accounts with invalid display names get deleted, often without warning.

If you need more information, please check the Naming Rules page.

David O'Meara

Joined: Mar 06, 2001
Posts: 13459

Although I never managed to get it working correctly, it is possible to place JSPs there as long as you only forward or include them from the servlet.

BUT, I've found support for this to be server specific, and even version specific. ie if you managed to get it working in your particular container, there is no guarantee it would work if you had to move to another container, or even another version.

I've learnt to be wary of undocumented trick such as these. Better to put a web server in front and block direct JSP access there.

Eric Pascarello

Joined: Nov 08, 2001
Posts: 15385
You can not keep a user from typing urls into the browser, you should implement a way to check for their session. If they do not have the session when the page loads then dump them to the main page.

If you also want the URL to be hidden:
You just need to manage the process, and you can not keep the url from being visible. You can use frames, but the url can still be found. Only way you can keep the url the same would be to include 5000000 dynamic includes.

Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63858

Since I disallow direct access to my JSPS, I always hide them behind WEB-INF so that they can only be accessed via a controller servlet. I've never had any problems doing so from any version of Tomcat or Resin. Any container that does not allow this is "broken" and should be fixed.

[Asking smart questions] [About Bear] [Books by Bear]
Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 33119

I second what Bear said. It is also easier to maintain if the users can't access the JSP directly.

Keep in mind that the JSP is compiled into a servlet. If you were writing the servlet yourself, it would be standard procedure to put it in WEB-INF/classes. So keeping the JSP in WEB-INF is logically consistent.

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
I agree. Here's the link:
subject: Hiding jsp pages behind WEB-INF
It's not a secret anymore!