Frank, I agree with you when a JSP is just a template. However, may people mix JSP's with scriplets and other code nibblets. Having items such as those as publicly accessible can cause security and functionality issues. Luckily, I myself haven't needed to put scriptlets in my JSP's though I still put my JSP's, used as (tiles) display templates, under /WEB-INF/pages.
Regards, One "David"'s $0.02 worth -----Original Message----- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Saturday, January 29, 2005 9:07 AM To: Struts Users Mailing List Subject: Re: Blocking direct access to JSPs My argument against it is that WEB-INF is meant to be configuration information and "support files", and while I agree with viewing JSPs as templates, I don't view them as support files either. Let me put it another way... WEB-INF should be things that are not application-specific, except for configuration files and libraries. Also, if a JSP is just a template, surely it won't work without something on the server having been executed, right? Therefore, what's the harm if it's exposed anyway? I suppose you could argue you wouldn't even want to expose a stack trace, but it depends how far you want to carry the argument. Of course, you could always do: <% if (request.getAttribute("cameFromServer") != null) { %> // The page here <% } %> Sure, it requires two lines in all JSPs, but it should solve the problem. Anyway, it's just my feeling on it. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com William Stranathan wrote: > We had this discussion a lot last week, and it seems to be somewhat > divided on whether JSP's belong in WEB-INF. What was your compelling > argument AGAINST it? > > My compelling argument FOR it has always been that WEB-INF is where > application artifacts that are not complete web artifacts belong. When > writing in Struts (pseudo-MVC er Model II or whatever you like to call > it), JSP is NOT web-ready - it's only template data - just like if you > had an email template that had the blanks filled in. > > Of course, I don't put my JSP's DIRECTLY under WEB-INF - usually have > them broken out by the type of template - web, mobile, email, etc. > > w > > Tim Christopher wrote: > >> Hi, >> >> I would like to block direct access to jsp files, and from what I've >> read the best practice appears to be setting a security-constraint >> within the web.xml file. (As opposed to storing all *.jsp files >> within the WEB-INF folder, though please correct me if that's wrong). >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
