How to protect access to webapp directories/folders?

Question

From within a web app it easy to place logic on accessing views programmactically but how do you stop a user from going straight to the jsp page itself?

Example

@RequestMapping("/SomeView")
public void goToSomeView{

 if(logicIsNotSatisfied)
    return new ModelAndView("failure"):
 else
    return new ModelAndView("welcome");
}

Easy enough

But how to keep user from typing into the web browser the direct path to the resource for example:

http://mydomain/myWebApp/resouces/stuff.png

Question:

How do we place restrictions on users from being able to directly access the webapp's directories?

Answer 1

Place the JSPs under WEB-INF, and they won't be accessible from the outside. Note that accessing them directly shouldn't be a big concern, because all the users would get is an error, or an empty page, given that all the data accessed by the view wouldn't be available, since the controller hasn't been invoked.

Regarding static resources, if you don't want the users to be able to access them without access control, then also put them under WEB-INF, or outside of the webapp directories, and access them through a controller which checks that the user may access them, reads them, and writes them to the response.

Answer 2

I'd like to give some advice. Don't think of a JSP as a page users go to. A JSP is not a static HTML page. A JSP is a way to dynamically render HTML.

If you do what JB Nizet suggested you will never have to worry about a JSP rendering anything unless it went through your application's entry point. Since you control those entry points, ie. servlets, filters, controllers, etc., you can decide how a response is rendered.

Program your URL mappings appropriately. Users trying to access

http://mydomain/myWebApp/resouces/stuff.png

don't necessarily have to get the static image resource stuff.png if they went through the appropriate filters. You can very well block access.