tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: how to prevent user access to JSP pages?
Date Thu, 23 Aug 2018 09:26:11 GMT
On 22/08/18 19:48, Terence M. Bandoian wrote:


> Back on topic, do JSPs have to be registered with the container using
> servlet mappings in web.xml or some other mechanism in order to serve as
> targets of forwards by servlets?  Further, does doing so make those JSPs
> accessible via external requests?  I suspect the answer to both
> questions is yes which means an additional mechanism will have to be
> introduced to block that access which I believe was the original
> question.  Servlet filter?

What makes JSPs accessible is the mapping of *.jsp to the JSP servlet.
Any file outside of WEB-INF with a .jsp extension will be passed to the
JSP servlet for processing:
- .jsp -> .java
- .java -> .class (servlet)
- send request to servlet from previous step

JSPs (or any other files) located under WEB-INF are never directly

Forwards and includes can reference JSP files (actually any files)
located under WEB-INF and the file is processed the same way it would be
if it were located outside of WEB-INF. The idea of locating files under
WEB-INF is so you can use them in forwards and includes without them
being directly accessible.


P.S. It is actually WEB-INF or META_INF everywhere I write WEB-INF above
but I only used WEB-INF to try and keep it clearer.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message