JSF files inside WEB-INF directory, how do I access them?

Tim picture Tim · Aug 18, 2010 · Viewed 19.8k times · Source

I want to put my JSF 2.0 xhtml files under WEB-INF\jsf. How do I access them then? I know that anything inside WEB-INF isn't exposed to the outside, so I need a controller to redirect me to the corresponding JSP, right? (This is also the model 2 pattern iirc).

Can I achieve this with a parameter inside web.xml/faces-config.xml? I think the FacesServlet is the controller of my webapp so it should serve this purpose?

And another question for understanding the Model 2 Pattern. Does every action have to go first to a servlet which then handles the next possible step? So a simple <a href="anotherPage.html" /> is forbidden in this pattern since it doesn't go to the controlling servlet?

Answer

BalusC picture BalusC · Aug 18, 2010

I want to put my JSF 2.0 xhtml files under WEB-INF\jsf. How do I access them then?

You cannot. Files in /WEB-INF folder are not directly accessible.

There are two options to workaround the problem of JSF source files being public accessible.

  1. Map the FacesServlet on *.xhtml instead of *.jsf.

  2. Or, restrict direct access on *.xhtml by a <security-constraint> in web.xml.

    <security-constraint>
        <display-name>Restrict direct access to XHTML files</display-name>
        <web-resource-collection>
            <web-resource-name>XHTML files</web-resource-name>
            <url-pattern>*.xhtml</url-pattern>
        </web-resource-collection>
        <auth-constraint />
    </security-constraint> 
    

See also:


And another question for understanding the Model 2 Pattern. Does every action have to go first to a servlet which then handles the next possible step?

The FacesServlet already does that. It's the controller. With JSF you already end up with a simple javabean as model and JSP/Facelets file as view. The FacesServlet as being the controller has already taken all the nasty work of request parameter gathering, validation, conversion, model updating and navigation from your hands.

See also:


So a simple <a href="anotherPage.html" /> is forbidden in this pattern since it doesn't go to the controlling servlet?

No, it's perfectly fine. The controller will kick in whenever needed. If the resource doesn't need a controller (i.e. static resource), then you also don't need to let it pass through some controller.


In the future, please ask multiple questions in separate Stack Overflow questions.