File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes put jsp pages under WEB-INF Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "put jsp pages under WEB-INF" Watch "put jsp pages under WEB-INF" New topic
Author

put jsp pages under WEB-INF

Alessandro Ilardo
Ranch Hand

Joined: Dec 23, 2005
Posts: 218
Hi there,
I'm using struts and I have noticed someone putting the jsp pages under the WEB-INF.

I guess this increase the application security, but is it a good practice? What are the weak points of doing that?


trying to decode a woman mind....
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60059
    
  65

It's an extremely good practice for JSPs that you do not want to be directly addressable via URL. By placing the under WEB-INF, thay can only be accessed via their controller (like a Struts action).

It's not suitable for JSPs that need to be directly addressed.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60059
    
  65

And it's not just a security measure, but a usability one as well. If your JSP will fail horribly if things aren't set up as expected by its page controller -- which is very likely if you are writing JSPs to modern scriptless standards -- disallowing direct access that would cause such a blowup prevents users from being faced with such errors, and keeps your support lines clear for real problems.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: put jsp pages under WEB-INF
 
Similar Threads
Protecting JSP From Direct Access
In a WebProject, where is the best place for jsp's?
Adding a Plugin - Jsp in pages folder
preventing direct access to jsp pages
NetBeans 6.0.1 - Web App Question