Also, if a JSP is just a template, surely it won't work without something on the server having been executed, right? Therefore, what's the harm if it's exposed anyway? I suppose you could argue you wouldn't even want to expose a stack trace, but it depends how far you want to carry the argument. Of course, you could always do:
<% if (request.getAttribute("cameFromServer") != null) { %>
// The page here
<% } %>Sure, it requires two lines in all JSPs, but it should solve the problem.
Anyway, it's just my feeling on it.
-- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com
William Stranathan wrote:
We had this discussion a lot last week, and it seems to be somewhat divided on whether JSP's belong in WEB-INF. What was your compelling argument AGAINST it?
My compelling argument FOR it has always been that WEB-INF is where application artifacts that are not complete web artifacts belong. When writing in Struts (pseudo-MVC er Model II or whatever you like to call it), JSP is NOT web-ready - it's only template data - just like if you had an email template that had the blanks filled in.
Of course, I don't put my JSP's DIRECTLY under WEB-INF - usually have them broken out by the type of template - web, mobile, email, etc.
w
Tim Christopher wrote:
Hi,
I would like to block direct access to jsp files, and from what I've read the best practice appears to be setting a security-constraint within the web.xml file. (As opposed to storing all *.jsp files within the WEB-INF folder, though please correct me if that's wrong).
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
