This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes JSP and the fly likes put jsp pages under WEB-INF Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "put jsp pages under WEB-INF" Watch "put jsp pages under WEB-INF" New topic

put jsp pages under WEB-INF

Alessandro Ilardo
Ranch Hand

Joined: Dec 23, 2005
Posts: 218
Hi there,
I'm using struts and I have noticed someone putting the jsp pages under the WEB-INF.

I guess this increase the application security, but is it a good practice? What are the weak points of doing that?

trying to decode a woman mind....
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 60741

It's an extremely good practice for JSPs that you do not want to be directly addressable via URL. By placing the under WEB-INF, thay can only be accessed via their controller (like a Struts action).

It's not suitable for JSPs that need to be directly addressed.

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 60741

And it's not just a security measure, but a usability one as well. If your JSP will fail horribly if things aren't set up as expected by its page controller -- which is very likely if you are writing JSPs to modern scriptless standards -- disallowing direct access that would cause such a blowup prevents users from being faced with such errors, and keeps your support lines clear for real problems.
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
subject: put jsp pages under WEB-INF
Similar Threads
Protecting JSP From Direct Access
NetBeans 6.0.1 - Web App Question
preventing direct access to jsp pages
In a WebProject, where is the best place for jsp's?
Adding a Plugin - Jsp in pages folder