Putting
JSP inside WEB-INF will protect them from direct client access. However, we have a legacy system which put all JSPs above WEB-INF. What are the best strategies to make sure these JSP cannot be accessed directly - assuming the URLs to them cannot be made secret.