I am using Tomcat 4. I have found that there's a way to hide resource from a client - place the jsp pages in the directory WEB-INF. Therefore, the jsp pages cannot be viewed by typing the path http://localhost/*.jsp The page can be accessed by the use of RequestDispatcher from a servlet program or using custom URL set in web.xml. However, it is required to use <jsp:include page="xxx.jsp" /> to include another jsp. However, the jsp is placed in the WEB-INF also, so ServletException is thrown. How can I include the jsp file successfully in this way? i have tried to use absolute path, however, it is still unsuccessful. What should I do? Thanks! Leyland
Ugh. Well, you hid them OK. I wouldn't recommend doing this, though. One thing to note is that the "include" JSP directive references a URL, not a file path (Is it time for me to say "A WEB server is NOT a LAN server" again?). And at the moment, I don't know of any mechanism in JSP 1.1 that will simply and reliably restrict access to a URL except to the degree that logic in the JSP itself restricts access. I've thought of several potential options, but they all seem to have holes in them. Probably the SAFEST thing to do is go "Model 2" and not put anything insecure in JSPs. You CAN hide servlets - in fact, most modern appservers hide them unless explicitly attached to one or more URLs in web.xml.
Customer surveys are for companies who didn't pay proper attention to begin with.
hey, i'm using IBM Websphere and struts. it is considered good practice to put the jsp's in the WEB-INF folder to hide them. my problem is that the jsp's are not getting hidden. if you user types in root/EditPage.jsp, the pages is accessible. oddly enough, it is also accessible when root/WEB-INF/JSP/EditPage.jsp is enterred. The files physically reside in the WEB-INF/JSP folder, but both URL's work. does anyone have any idea what's going on with this? any help would be great, thanks! - Keith
You're right. WEB-INF /is/ supposed to be hidden, and people DO put JSP's there for that reason, although if my memory weren't all mush I'd remember what the "gotcha" was. There is one, I know, otherwise it'd be the preferred and blessed place to put JSPs that were invoked by Struts but should not be invoked directly by the client. It's still done, just not blessed - though I think that some sort of blessed equivalent is under consideration. Don't know for sure why WebSphere shows the pages. Maybe the version you're using predates the WEB-INF magic (would have to be pre-4.0, I think). Or you've somehow defined a URL path that bypasses the magic.