On Mon, Mar 9, 2009 at 16:03, Ken Bowen <kbo...@als.com> wrote: > I agree with everything in both posts, but I just don't see what the > /location/ of the jsp files (inside/outside WEB-INF) has to do with it. > All that controls is whether a user/client can find a way to look inside the > file. > One can (as I do) follow the separation of concerns quite strictly (app > logic in java files; presentation in jsp files), and have those > jsp files residing in something like webapps/app/pages, while the classes of > course normally reside in webapps/app/WEB-INF/classes. > And I'm sure we could find (in the wild out there, not developed by anyone > here) JSP pages residing under WEB-INF which were > horribly encrusted with java code and application logic. > > It's more a matter of developer discipline than anything else.
So, I'm a disciplined developer? :-) Yeah, it's basically because in this setup the JSP pages are part of the app's implementation, not part of the exposed URL space. So I put them under WEB-INF with the classes, libs, tags, etc. Practically speaking the effect of allowing user access to the JSPs would be that you could enter a bogus URL and get a garbage page (probably a 500 error). -- Len --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org