Is this considered the Best Practice: Keeping all JSP's under the WEB-INF directory? We have not done that on my project, I am curious if there are plus' and minus' to this?
Thanks, John The easiest way is to always have the user call an action to get a JSP, even if it is a simple page. You then also ensure that all data necessary for that page has been obtained. The, by placing the JSP's in the WEB-INF directory you will prevent access directly from a browser (only from the s2 dispatcher). Otherwise, I would suggest a servlet filter or header code for all JSPs that make the necessary checks. /Ian -- View this message in context: http://www.nabble.com/authentication-question-tp16006710p16121577.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]