Opinion One: (more agree)
Security is not the real reason, because the JSP is to be parsed to display to the browser, even if the user knows your JSP path, it is not possible to see the JSP source through the browser, and if it is through other means to invade the server, put in the web-inf and put in other places what is the difference???
The real reason is, for the early direct embedding Java code JSP, is directly give the JSP path to the user access, this situation just can't put in the Web-inf, and now the MVC mode, JSP is not once that contains the full logic of the JSP, but only as a template for the view layer, The model data must be filled in to render, in order to generate a readable page, so that the template is not directly accessible to users, direct access to the word is either a bunch of blanks, or a bunch of placeholders, or even a bunch of nullpointexception, so need to put into the web-inf. To add, "security problem" means "do not allow you to visit, otherwise it will be bad for me", and here is actually "do not suggest you visit, otherwise will treat you bad", should belong to the category of robustness.
Put to Web-inf under the JSP file, if you go directly to access this JSP is not possible, must pass the action of the jump, so you can understand why security is high, for the user is not visible, for some users, can directly access, such as, login, registration page, Can be placed directly under the Webroot, this is based on the needs of your system.
By setting a filter, files placed under Webroot can also be accessed without direct access. So it's a habit to say where you put it.
Generic projects are required to be hidden, allowing customers to request access rather than directly accessing JSP pages. If placed under Webroot, you must add a filter to block all access to *.jsp. As long as the comparison:
Placed under the Webroot: advantages, clear program structure, easy to encode and maintain, disadvantages, to add filters.
Put under the Web-inf: advantages, no filters, disadvantages, disrupted program structure, coding and maintenance trouble
To reduce risk, you can move these paging files to Web-inf
Directory. Servlet-based declarations, Web-inf are not part of a common document tree for WEB applications. Therefore, the resources under the Web-inf directory are not directly serviced by the customer. We can still use the JSP page in the Web-inf directory to provide a view to the customer, but the client cannot request access to the JSP directly. JSP is safer to store in the Web-inf directory.
JSP file under Webroot or Webinfo