I've seen this suggested before, where you can put your JSPs in the WEB-INF directory to protect them from direct access. ie you can only .forward or .include them.
I haven't actually read it
but apparently the Servlet spec defines access to resources in the WEB-INF directory. I believe that the problem in the way it is defined is that it states that stuff under WEB-INF shouldn't be directly accessable, but it does not state that they should be indirectly accessable.
What this means is that there is no guarantee that any app server will allow you to do this.
The only server I actually tried this on was
Tomcat 4, and after chasing it down in the source code, it appears that Tomcat will not allow
any access to files in the WEB-INF directory. It explicitly denies access to anything matching */WEB-INF/*
Dave