This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Putting JSP inside WEB-INF will protect them from direct client access. However, we have a legacy system which put all JSPs above WEB-INF. What are the best strategies to make sure these JSP cannot be accessed directly - assuming the URLs to them cannot be made secret.
Just a couple of guesses, because I haven't had to do this before, but I would try using a Filter, or maybe constraining the JSPs in the web.xml...
“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” - Rich Cook