Thanks. That's interesting. I am using Weblogic9.2, and I seem to have no problem using the request object in the jsp( for getParameter at least). I am wondering what type of request object manipulation, as you are referring to, may cause issues?
Jeromy Evans - Blue Sky Minds wrote: > > > The only issue I've experienced is when (bad) scriptets within the JSP > manipulate the request object directly, which is assumed to use the > /xxx.jsp URI but is actually /WEB-INF/results/xxx.jsp. > > Many would argue that best practice is to not use JSPs at all. Another > group would argue that Acegi should be used rather than rolling your own > filter. > > Hope that helps. > > mojoRising wrote: >> Is this considered the Best Practice: Keeping all JSP's under the WEB-INF >> directory? We have not done that on my project, I am curious if there are >> plus' and minus' to this? >> >> Thanks, >> John >> >> >> >> The easiest way is to always have the user call an action to get a JSP, >> even if it is a simple page. You then also ensure that all data >> necessary for that page has been obtained. The, by placing the JSP's in >> the WEB-INF directory you will prevent access directly from a browser >> (only from the s2 dispatcher). >> >> Otherwise, I would suggest a servlet filter or header code for all JSPs >> that make the necessary checks. >> >> /Ian >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/authentication-question-tp16006710p16123101.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
