Why put JSP in WEB-INF?

Solution 1:

Files in WEB-INF are not visible to the users. It's a bit safer that way.

If (a contrived example) you are including db.jsp, but by itself it throws an exception, a malicious user can open http://yoursite.com/db.jsp and get some insight on your application (worst - the database credentials) from the exception message.

Solution 2:

I don't think it's a good design pattern, but I believe I can explain the reasoning.

Servlet containers won't serve any content in WEB-INF. By putting your JSPs there, you prevent anyone from directly accessing a JSP by navigating to it in the browser by name. This might be considered good practice, if some of your JSPs are just fragments of code/markup, and not meant to be used directly, and perhaps open some security hole you haven't though of.

It's still possible to get the container to see and use the JSPs as expected even in WEB-INF.

Solution 3:

An extra-plus when using a Controller (or Front-Servlet) is that you decouple the URL path from the physical location of the JSP-files in your project.

As example here a simple request-mapping from a Spring Controller:

@RequestMapping(value = "/item/edit", method = RequestMethod.GET)
public String getItemEdit(@RequestParam(value = "id", required = false) final String id) {
    return "itemeditform";
}

The ViewResolver takes care of mapping the URL to the place where your JSPs reside.