After these questions:
that I wrote all to resolve a "stupid" issue for the JSF2 framework, the fact that I can't link directly to a page stored in a /WEB-INF
subfolder. After that I did some research on Google and Stackoverflow I would know a thing: How do I structure a JSF2 web project?
In particular, where exactly do I put the XHTML pages?
Files in /WEB-INF
folder are indeed not publicly accessible by enduser. So you cannot have something like http://localhost:8080/contextname/WEB-INF/some.xhtml
. That would be a potential security hole as the enduser would be able to view among others /WEB-INF/web.xml
and so on.
You can however use the /WEB-INF
folder to put master template files, include files and tag files in. For example, the following template client page.xhtml
which is placed outside /WEB-INF
and is accessible by http://localhost:8080/contextname/page.xhtml
:
<ui:composition template="/WEB-INF/templates/template.xhtml"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:ui="http://java.sun.com/jsf/facelets"
>
<ui:define name="content">
...
<ui:include src="/WEB-INF/includes/include.xhtml" />
...
</ui:define>
</ui:composition>
The advantage of placing master templates and include files in /WEB-INF
is that the enduser won't be able to open them directly by entering/guessing its URL in the browser addres bar. The normal pages and template clients which are intented to be accessed directly must not be placed in /WEB-INF
folder.
By the way, the composite component files are in turn also not supposed to be publicly accessible, however they are by specification required to be placed in /resources
folder which is by default publicly accesible. If you make sure that you access all resources using the therefor provided components so that they are never accessed by /resources
in URL (but instead by /javax.faces.resource
), then you can add the following constraint to web.xml
to block all public access to the /resources
folder:
<security-constraint>
<display-name>Restrict direct access to the /resources folder.</display-name>
<web-resource-collection>
<web-resource-name>The /resources folder.</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>