Yes in my opinion you should only very rarely let the user access jsp pages
directly (e. g. for the start page)
What we are doing in our applications is the following:
All the protected jsp files get the ending jspp. We protect them via Web-Server
configuration (in our case Apache) from direct access and only allow internal
forwards via actions.
--- Matthias
Hartmut Bernecker wrote:
> Hi,
>
> I search for the best practice of form based login and security
> mechanism based on it.
> Who knows a link or wants to contribute some information or hints to the
> following themes:
>
> Is it a good practice to forward *all* JSP pages through the action
> servlet instead of calling some JSP pages with a direkt link (<a
> href="some.jsp">...).
>
> How can JSP pages be hidden so that they can be accessed only via the
> central servlet?
>
> TIA
> Hartmut Bernecker
>
