I just want to secure my JSPs from users of the application. I mean the user shouldn't able to type the path and reach my JSPs directly, they must go through the site. By putting JSPs in the root of the application, I am allowing users to type the path to reach them. Right? I don't want to do that.
No, because JSPs underneath WEB-INF aren't directly accessible to begin with. You'd have to use servlets which forward to (or include) those JSPs. So the control flow would be a bit different than what you have now. [ January 23, 2008: Message edited by: Ulf Dittmer ]
This isn't that un-common in model1 architectures where everything is written in JSP. It allows you to set servlet-init params in the deployment descriptor , restrict direct access to the JSP, and to group components with URL patterns that easily be matched up with filter mappings, etc...
These days, the accepted best practice is to use JSPs only as a view tier which would eliminate any need for the things mentioned above.
Joined: May 17, 2007
I got it...
But, giving WEB-INF in path feels weird... am I doing it correctly?
there could be other ways to prevent users from directly accessing resources like checking for "referer" in the request header (e.g. it would be null if address is manually entered), *.jsp in url-pattern so all requests go thru your front-controller and you dynamically decide which page to return. [ January 23, 2008: Message edited by: Abhinav Srivastava ]