Suppose there are multiple portlets in one portlet WAR. For example, the first portlet could contain a set of JSPs in /basic/ and a second portlet contains a set of JSPs in /admin/.
Currently, it is up to the portlet developer to ensure that a user who has access to the basic portlet does not change the "jspPage" parameter to point to a JSP page in the /admin/ path. To prevent that from happening, a lot of manual coding is required and defeats the purpose of using the MVC Portlet.
This update adds the ability to limit a portlet to a particular path by setting a "jsp-path" init parameter in portlet.xml. For example, setting the basic portlet's jsp-path to "/basic/", will ensure that the basic portlet cannot call any other JSP except what is in the /basic/ path. It also detects ".." and other hacks to prevent a malicious user from circumventing this.