• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

put jsp pages under WEB-INF

 
Alessandro Ilardo
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there,
I'm using struts and I have noticed someone putting the jsp pages under the WEB-INF.

I guess this increase the application security, but is it a good practice? What are the weak points of doing that?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64620
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's an extremely good practice for JSPs that you do not want to be directly addressable via URL. By placing the under WEB-INF, thay can only be accessed via their controller (like a Struts action).

It's not suitable for JSPs that need to be directly addressed.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64620
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And it's not just a security measure, but a usability one as well. If your JSP will fail horribly if things aren't set up as expected by its page controller -- which is very likely if you are writing JSPs to modern scriptless standards -- disallowing direct access that would cause such a blowup prevents users from being faced with such errors, and keeps your support lines clear for real problems.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic