best practice, java web app, where to put jsp files?

Question

i am using google app engine to develop java web app, my problem that all my jsp file can be reached under http://localhost:8888/namefile.jsp,, i put all my jsp file in the war folder

where should i put the jsp files to avoid this? or just should i modify the web.xml modifying the url mapping ?

here is my web.xml file

<servlet>
 <servlet-name>frontController</servlet-name>
 <servlet-class>com.myapp.frontcontroller.FrontController</servlet-class>
</servlet>

<servlet-mapping>
    <servlet-name>frontController</servlet-name>
    <url-pattern>/myapp/*</url-pattern>
</servlet-mapping>


<welcome-file-list>
    <welcome-file>home.jsp</welcome-file>
</welcome-file-list>

thanks in advance.

Answer 1

Public Jsp files should be in the root directory of the project and private jsp files should be in WEB-INF folder as things under WEB-INF are not accessible publicly.

Answer 2

You have a few options and could use any of them depending on your requirements:

• You can place the files inside of WEB-INF folder. The folders/files present in there will not be available by default. You will need to redirect and/or forward requests accordingly to the write files.

• It is not just about JSP files but also servlets which could get directly accessed. Ideally you want to protect URL patterns and make sure that only authorized users i.e. users with a certain role can access the servlets/folders that come under that. Towards that GAE uses the standard security-constraint in web.xml file. Read up at https://developers.google.com/appengine/docs/java/config/webxml#Security_and_Authentication

• Finally, you could also look at a Servlet filter to meet your requirements. You could have a global filter that checks if a user is logged in and only then can move ahead with accessing the web resource. A filter could also help you perform logging to check who is accessing your application and other cross cutting concerns, etc.