Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is not allowed to be requested by the browser - its a simple enforcement mechanism to prevent users from direct access to calling jsps. (Since it may be common to have jsp's as snippets for header / footers etc -- and there for they might be able to be called in surprising ways and exposing funny attacks)
On Wed, Jul 10, 2013 at 6:08 PM, Leo Donahue - RDSA IT < leodona...@mail.maricopa.gov> wrote: > When did it start that developers decided to place jsps in the WEB-INF > directory? Was that intended from the beginning, or was it stumbled upon? > > Leo > >