You don't need to keep your jsp's under WEB-INF, you can setup a security
constraint to prevent access to your raw jsp files.
We keep our jsp's in a /struts folder and use this security constraint in
the web.xml file.
The key is the constraint has no roles so no access is allowed.
<security-constraint>
<display-name>Prevent access to raw pages.</display-name>
<web-resource-collection>
<web-resource-name>Raw Pages</web-resource-name>
<url-pattern>/error.jsp</url-pattern>
<url-pattern>/struts/*</url-pattern>
<url-pattern>/META-INF/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>No roles, so no direct access</description>
</auth-constraint>
</security-constraint>
Paul Benedict-2 wrote:
>
> Definitely move them under WEB-INF. Otherwise, you can never enforce
> people going through your action if they know the JSP address.
>
> At any rate, you can just put the JSP file in the path of the <forward>
>
> Paul
>
--
View this message in context:
http://www.nabble.com/.do-and-.jsp-tp20787624p20838128.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
