struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David G. Friedman" <>
Subject RE: Blocking direct access to JSPs
Date Sat, 29 Jan 2005 15:20:25 GMT

I agree with you when a JSP is just a template.  However, may people mix
JSP's with scriplets and other code nibblets.  Having items such as those as
publicly accessible can cause security and functionality issues.  Luckily, I
myself haven't needed to put scriptlets in my JSP's though I still put my
JSP's, used as (tiles) display templates, under /WEB-INF/pages.

One "David"'s $0.02 worth

-----Original Message-----
From: Frank W. Zammetti []
Sent: Saturday, January 29, 2005 9:07 AM
To: Struts Users Mailing List
Subject: Re: Blocking direct access to JSPs

My argument against it is that WEB-INF is meant to be configuration
information and "support files", and while I agree with viewing JSPs as
templates, I don't view them as support files either.  Let me put it
another way... WEB-INF should be things that are not
application-specific, except for configuration files and libraries.

Also, if a JSP is just a template, surely it won't work without
something on the server having been executed, right?  Therefore, what's
the harm if it's exposed anyway?  I suppose you could argue you wouldn't
even want to expose a stack trace, but it depends how far you want to
carry the argument.  Of course, you could always do:

<% if (request.getAttribute("cameFromServer") != null) { %>
// The page here
<% } %>

Sure, it requires two lines in all JSPs, but it should solve the problem.

Anyway, it's just my feeling on it.

Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies

William Stranathan wrote:
> We had this discussion a lot last week, and it seems to be somewhat
> divided on whether JSP's belong in WEB-INF.  What was your compelling
> argument AGAINST it?
> My compelling argument FOR it has always been that WEB-INF is where
> application artifacts that are not complete web artifacts belong.  When
> writing in Struts (pseudo-MVC er Model II or whatever you like to call
> it), JSP is NOT web-ready - it's only template data - just like if you
> had an email template that had the blanks filled in.
> Of course, I don't put my JSP's DIRECTLY under WEB-INF - usually have
> them broken out by the type of template - web, mobile, email, etc.
> w
> Tim Christopher wrote:
>> Hi,
>> I would like to block direct access to jsp files, and from what I've
>> read the best practice appears to be setting a security-constraint
>> within the web.xml file.  (As opposed to storing all *.jsp files
>> within the WEB-INF folder, though please correct me if that's wrong).
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message