Spring location of mvc and jsp pages in webapp vs WEB-INF
I have a question about hosting spring mvc and jsp pages in webapp vs under WEB-INF.
Let's say we have the settings below.
webapp
WEB-INF
mvc-dispatcher.xml
web.xml
login.jsp
register.jsp
success.jsp
error.jsp
index.jsp
I can link to pages from the browser using URLs like http://host.com/app/index.jsp and from there I can link (a href) to register.jsp. From register.jsp, I am sending to a controller that can return a success view that resolves to success.jsp (using InternalResourceViewResolver).
If I move the jsp pages under WEB-INF (instead of previously in the webapp), I cannot send http://host.com/app/index.jsp from the browser. Also from success.jsp I am currently referencing index.jsp with href = "index.jsp" which will need to be changed to map to a controller (maybe in / as a dispatcher servlet) which will return the index as the name of the view ... Therefore all my links will have to be served by the controller. I'm right? or is there a way to refer to jsp pages without any associated controller when the jsp pages are under WEB-INF (if InternalResourceViewResolver is set).
Hello,
Miten.
source to share
You are absolutely right. You cannot access JSPs internally WEB-INF
directly from the browser. And this is very good . All your requests should be sent to the JSP through the controller and all your JSPs should be under WEB-INF
. There are many reasons for this:
- Users cannot get the actual source of your JSPs and this has a positive impact on security.
- Many JSPs rely on some request attributes (The Model). When the user calls the JSP directly from the browser, there is no Model. This might break some logic.
- One JSP pod
WEB-INF
can be used for different URLs without any changes, and users don't know anything about it! - It's just good practice when you are doing MVC ( Model 2 , not Model 1 )
Considering the question of accessing JSP directly without a controller:
- You can directly map HTTP Exceptions / Throwables to JSP through JSP error pages . For example, a simple technique is good for custom 404s.
- When using Apache Tiles + Spring and accessing some
/notmappedurl
Spring (Tiles) will try to find the definitionnotmappedurl
. (From my experience with Tiles + Spring). I think other viewing technologies have similar behavior. - Not so hard to write
@RequestMapping("/someurl")void someurl(){}
. Spring will try to find a viewsomeurl
based on the method name. Just a stub.
source to share