Hi, I've had a pen test finding where our JSP files, which are in the public directories of our web app can be opened directly as long as the user knows the name of the JSP file. This is a site where a login is mandatory to access any content. Struts actions are already protected where the action itself will detect for sessions and enforce security but direct access to JSP doesn't seem to be protected in the same way and apparently, this is a security risk. The auditor's opinion is that no content whatsoever should be viewable by anyone without a valid session.
May I know what can be done to accomplish this? Both our Struts 1 and 2 applications are affected by this finding. Thanks, Wong
