StrutsCatalog: Hiding pages under WEB-INF
[Note: While this is a typical practice, it is not one most teams need to follow. In most cases,Link only to Actions hides the page locations making this practice redundant.]
The container provides security for all files below WEB-INF. This applies to client requests, but not to forwards from the { { { ActionServlet } } }. (Though some versions of some containers may not support the forwarding behavior.) Placing all JSPs below WEB-INF ensures they are only accessed through Actions, and not directly by the client or each other. This practice enforces MVC at the Controller by ensuring pages are not accessed directly.
However, if your pages need to access a number of other HTML resources, like images and stylesheets, it may be more convenient to leave them in the document root. As noted, if you are usingLink only to Actions, then the address of your JSP's is never exposed anyway, and this practice loses much of its value. The Link only to Actions practice is usually sufficient.
-- TedHusted
Comments:
The real value of this pattern is to protect your application from improper usage. If, for some reason, someone knows the direct address of your JSP pages, s/he could use it to access your pages without going thru an action first. Hiding your pages under WEB-INF guarantees that this won't happen.
-- MarcusBrito