Why put JSP in WEB-INF?

Question

I noticed a common pattern is to put JSP pages in WEB-INF folder (as opposed to WAR root). What\'s the difference? Why is that preferred?

Answer 1

Files in WEB-INF are not visible to the users. It's a bit safer that way.

If (a contrived example) you are including db.jsp, but by itself it throws an exception, a malicious user can open http://yoursite.com/db.jsp and get some insight on your application (worst - the database credentials) from the exception message.