Putting JSP inside WEB-INF will protect them from direct client access. However, we have a legacy system which put all JSPs above WEB-INF. What are the best strategies to make sure these JSP cannot be accessed directly - assuming the URLs to them cannot be made secret.
Just a couple of guesses, because I haven't had to do this before, but I would try using a Filter, or maybe constraining the JSPs in the web.xml...
“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” - Rich Cook
subject: Legacy System with Protected JSP Above WEB-INF