Three steps to follow MVC while building Java Web application

Always process URL (POST forms, link clicking etc) by servlet / action bean and never by JSP

ActionBeans (whatever certain framework call those classes) and rarely servlets are controllers intended for processing user input. JSPs are view engine dedicated to rendering representation of software to client. Separating user input processing and HTML rendering prevents you from temptation of creating huge, multi-purpose, untestable JSPs that are mixing business and representation logic and violating MVC pattern.

Render views by forwarding to JSP located only under /WEB-INF/${JSP folder}

Views should be accessible only by design of software and never directly. Putting JSPs within root directory of project brings security issues regarding unwanted access to them from clients. Also practice of hiding all JSPs under /WEB-INF reduces possibility of URL being processed by JSP and not controller and help us to follow step #1.

Pass model from controller to view only by using request attributes or flash scope

All other ways of view being able to access some data are too limited or insecure. Using request parameters directly within view can be the option for malicious user to pass invalid data. Using session for storing information is causing memory consumption and requires mechanisms to clear unused data after expiration. Cookies depends on browser, limited in size and not very friendly to use. From the other hand - request attributes lacks all those drawback and propose clean decoupling of controller responsibility (update model) and view responsibility (read model). Flash scope becomes very handy when it comes to Redirect After Post pattern where request attributes can’t be used.