I've been told that some older containers don't allow you to forward to
JSP's behind /WEB-INF. It wouldn't surprise me.
Other than that I've found Ian's suggestion to be the most effective way
to ensure users can't access JSPs directly, IMO a must for Tiles, html
fragments and any page using struts tags.
The only issue I've experienced is when (bad) scriptets within the JSP
manipulate the request object directly, which is assumed to use the
/xxx.jsp URI but is actually /WEB-INF/results/xxx.jsp.
Many would argue that best practice is to not use JSPs at all. Another
group would argue that Acegi should be used rather than rolling your own
filter.
Hope that helps.
mojoRising wrote:
Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
directory? We have not done that on my project, I am curious if there are
plus' and minus' to this?
Thanks,
John
The easiest way is to always have the user call an action to get a JSP,
even if it is a simple page. You then also ensure that all data
necessary for that page has been obtained. The, by placing the JSP's in
the WEB-INF directory you will prevent access directly from a browser
(only from the s2 dispatcher).
Otherwise, I would suggest a servlet filter or header code for all JSPs
that make the necessary checks.
/Ian
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
