Hide JSP page from direct access, but how do you access to the target page?

Question

The URL below, the first content in the chosen answer describes JSP hiding.

Hidden features of JSP/Servlet

I so far understand that I can put jsp files under /WEB-INF directory. So that it prevents a user from direct access like http://test.com/WEB-INF/register.jsp (return 404)

I thought I understand but not and wants to describe better so I'm opening up the question here.

I have, say, 2 jsp files like below.

webapps/ROOT/home.jsp

webapps/ROOT/WEB-INF/register.jsp

NOTE: /go_register is mapped to the servlet class Register in web.xml (DD)

home.jsp

<html>
<body>
  <a href="/go_register">Go to register.jsp</a>
<body>
</html>

register.jsp

<html>
<body>
  <form method="post" action="/process_register">
  <input type="submit">
</form>
<body>
</html>

So.. since register.jsp resides under /WEB-INF/, only RequestDispatcher can access to it. That means I need to create servlet for forwarding the request.

public class Register extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String address = "/WEB-INF/register.jsp";
        request.getRequestDispatcher(address).forward(request, response);
    }
}

But this looks not right. If I want to add login page /WEB-INF/login.jsp to home.jsp, in order to access to the login.jsp, I have to create another servlet just for going to the login page purpose???

public class Login extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String address = "/WEB-INF/login.jsp";
        request.getRequestDispatcher(address).forward(request, response);
    }
}

I think I am using the technique in the wrong way. Could anyone explain how to use this jsp hiding?

Answer 1

You do have a Servlet which does the login task in the doPost() method? You could just add the necessary doGet() to it :)

By the way, I would just map the Register servlet on a single url-pattern like /register so that you can use it in both <a href="/register"> (which will call doGet() method) and <form action="/register" method="post"> (which will call doPost() method) without having the unnecessary need for two servlet mappings.

To get a step further, you can refactor this all into a single servlet which takes action accordingly based on the request URL. As you see, there is some code repetition which can be abstracted away. Normally, this is to be done by a MVC framework like Struts2, Spring-MVC, JSF2, etcetera, but you could also create a basic one yourself. More detail and code examples can be found in this answer.

Answer 2

Yep, that's correct. Usually it's easier to use a framework, like struts or spring.