I'm developing a struts application, in which I've extended the RequestProcessor to check the session. Everything is fine and works as expected. But an unauthenticated user can simply access the JSP pages directly. Here the request to the JSP page completely bypasses the RequestProcessor, only requests with logical labels like xyz.do go through the RequestProcessor.
After searching the web, one solution is to keep the JSP pages inside the WEB-INF directory. But is it possible to send every request through the RequestProcessor?