Joined: May 17, 2005
Thanks Dnyan. Just a thought, why would not we want people to access the JSPs directly?
Because the JSP might not be designed to be accessed directly, e.g. it may only work if the request went through a servelt first, which added some attributes. Without these attributes, the JSP would not work.
Or maybe the JSP is not a full page, but only meant to be included in other JSPs.
What we have done in the past was to keep the JSPs in a public directory, but to check for a particular attribute (which would be set by all servlets), and if that attribute wasn't present, then the JSP would not generate output, but instead redirect to an error page.
An example where you would not want the users to access the jsp directly is :
Say you have a login page where the user enters his email and password. On submitting the form the user is taken to the next jsp where he can vote for his favourite actor/actress. Your business requirement is such that the user can vote only once. In such a scenario you would typically check whether the user has voted or not when the user enters his email and password on the first screen itself. If he has voted you would not display the voting screen to the user. Now if you keep the voting.jsp outside WEB-INF and the user somehow gets to know the URL to this jsp he could access this jsp and cast his vote as many times as he wants because the check for already voted would be skipped, thus breaking your business requirement.
My preference for a Struts based application is to have all access to pages go through actions and never allow the user to directly access a JSP. If you do not need to do any processing to display the page, you can use one of the standard Struts actions or create a simple action that just returns mapping.findForward( "success" ).
I think the best strategy is to place the JSP's under the web-inf folder.In Struts though we can force all requests to go through the ActionServlet but in case we are not using struts the best way to secure resources is to place them under web-inf. Another thing we can do is to have a servlet filter which intercepts all requests and checks for the userinfo in session and accordingly provides or deinies access to a resource..