32

I noticed a common pattern is to put JSP pages in WEB-INF folder (as opposed to WAR root). What's the difference? Why is that preferred?

Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
Konrad Garus
  • 53,145
  • 43
  • 157
  • 230

3 Answers3

37

Files in WEB-INF are not visible to the users. It's a bit safer that way.

If (a contrived example) you are including db.jsp, but by itself it throws an exception, a malicious user can open http://yoursite.com/db.jsp and get some insight on your application (worst - the database credentials) from the exception message.

Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
  • 4
    I don't get it... Won't you get just an HTML response when you open the URL of JSP instead of the JSP code? I may be missing something – Raja Anbazhagan May 03 '16 at 12:38
10

I don't think it's a good design pattern, but I believe I can explain the reasoning.

Servlet containers won't serve any content in WEB-INF. By putting your JSPs there, you prevent anyone from directly accessing a JSP by navigating to it in the browser by name. This might be considered good practice, if some of your JSPs are just fragments of code/markup, and not meant to be used directly, and perhaps open some security hole you haven't though of.

It's still possible to get the container to see and use the JSPs as expected even in WEB-INF.

Sean Owen
  • 66,182
  • 23
  • 141
  • 173
  • If it's not a good design pattern, what are the alternative solutions to the problems you explained? – Konrad Garus Jul 26 '11 at 06:09
  • 3
    I disagree. I think it is a very good pattern as it solves a real issue in a simple, robust and easily understandable way. – pap Jul 26 '11 at 10:21
  • 7
    I agree with @pap. As 1) it enforces you to place a controller in front of the JSPs (Servlet, Action, etc.) and 2) it does hide Java specifics (.jsp ending). – home Jul 26 '11 at 14:02
  • 13
    That's not a **design** pattern at all. – BalusC Jul 26 '11 at 14:48
  • Placing JSP files under WEB-INFis a good and officially recommened design pattern as it enforces an MVC approach. You can still use "public" JSP files in very simple applications. – Agustí Sánchez Jul 29 '15 at 07:53
  • As @BalusC pointed out it's not a *design* pattern. Certainly not in the sense meant by Christopher Alexander and not even in the Gang of Four sense. It doesn't say this solution is wrong, but please lookup what those "design patterns" are – Jakub Bochenski Dec 21 '15 at 14:21
5

An extra-plus when using a Controller (or Front-Servlet) is that you decouple the URL path from the physical location of the JSP-files in your project.

As example here a simple request-mapping from a Spring Controller:

@RequestMapping(value = "/item/edit", method = RequestMethod.GET)
public String getItemEdit(@RequestParam(value = "id", required = false) final String id) {
    return "itemeditform";
}

The ViewResolver takes care of mapping the URL to the place where your JSPs reside.

yglodt
  • 13,807
  • 14
  • 91
  • 127