• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Best way to place JSPs

 
Thara Visu
Ranch Hand
Posts: 87
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Where is the best place to keep JSPs? Under WebContent or WEB-INF.

When we keep JSPs under WEB-INF, where should stylesheets be placed?

Thanks in advance
 
dnyan ginde
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you do not want the users to access your JSP's directly by giving the URL in the browser, then you should keep the JSP's under WEB-INF. You should always keep your stylesheets, javascript, images outside WEB-INF since your browsers wont be able to locate these elements if kept under WEB-INF.
 
Thara Visu
Ranch Hand
Posts: 87
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Dnyan.
Just a thought, why would not we want people to access the JSPs directly?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Because the JSP might not be designed to be accessed directly, e.g. it may only work if the request went through a servelt first, which added some attributes. Without these attributes, the JSP would not work.

Or maybe the JSP is not a full page, but only meant to be included in other JSPs.

What we have done in the past was to keep the JSPs in a public directory, but to check for a particular attribute (which would be set by all servlets), and if that attribute wasn't present, then the JSP would not generate output, but instead redirect to an error page.
 
dnyan ginde
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
An example where you would not want the users to access the jsp directly is :

Say you have a login page where the user enters his email and password. On submitting the form the user is taken to the next jsp where he can vote for his favourite actor/actress. Your business requirement is such that the user can vote only once. In such a scenario you would typically check whether the user has voted or not when the user enters his email and password on the first screen itself. If he has voted you would not display the voting screen to the user. Now if you keep the voting.jsp outside WEB-INF and the user somehow gets to know the URL to this jsp he could access this jsp and cast his vote as many times as he wants because the check for already voted would be skipped, thus breaking your business requirement.
 
Brent Sterling
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My preference for a Struts based application is to have all access to pages go through actions and never allow the user to directly access a JSP. If you do not need to do any processing to display the page, you can use one of the standard Struts actions or create a simple action that just returns mapping.findForward( "success" ).

- Brent
 
Thara Visu
Ranch Hand
Posts: 87
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks all. Those inputs were extremely helpful.
 
alfred jones
Ranch Hand
Posts: 279
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
very interesting topic.

after reading the comments, i have a question.


suppose, you put your JSP under WEB-INF in a Struts based application...what are the changes i have to do for Struts based application ?

is it just i have to change the forward path to under WEB-INF ?








what are other changes required if i put all my JSP's under WEB-INF directory ?


please respond.

regards
 
alfred jones
Ranch Hand
Posts: 279
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
is there any answer to my question ?
 
dnyan ginde
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Alfred,

Thats the only change you need to do.
 
Thara Visu
Ranch Hand
Posts: 87
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alfred,
You can also use the "forward pattern" attribute of the controller tag in struts config to /WEB-INF/$M$P so that you dont have to specify WEB-INF/ everytime.
 
Shashank Jain
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think the best strategy is to place the JSP's under the web-inf folder.In Struts though we can force all requests to go through the ActionServlet but in case we are not using struts the best way to secure resources is to place them under web-inf.
Another thing we can do is to have a servlet filter which intercepts all requests and checks for the userinfo in session and accordingly provides or deinies access to a resource..
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic