Abhay, it's a good solution you gave, by putting filter on WEB-INF value it will work for WEB-INF folder. But basically the whole 'webroot' folder comes under attack.
And is it not we want to download a file present in WEB-INF folder. It is like an hacker or attacker can access the file if we won't put the filter or validation on request.
Bear, exampleAction is just an struct action. it's just an example. there are many actions for login, registration, report generation etc.