15. Restricting Direct Access to JSP Pages


For many modern MVC framework, there is an expectation that all web client requests will go through a front controller. In the context of Spring MVC, the front controller is the Spring Dispatcher Servlet. Web resources, such as JSP pages, that are typically accessible as web resources must not be directly accessible to web clients..


A common approach for disallowing direct access to JSP pages is to putting JSP pages in the WEB-INF folder. Any resources located in WEB-INF folder, including JSP pages, aren't URL addressible.

The supporting web application resources (css, javascript, images) need to be directly accessible, and they should not be located in the WEB-INF folder. Only the JSP pages, which are intended to be accessed through a URL mapping, should be contained in the WEB-INF folder.


By placing JSP pages in the WEB-INF folder, web clients can't directly access the JSP pages. However the developer can use JSP pages in the WEB-INF folder when specifying the View for URL Mappings.


  1. Hiding the Implementation Technology