Matthias Wessendorf’s Weblog

Avoiding “Open Source” with JSF and Facelets

November 28, 2008 · 7 Comments

When using Facelets it is normal to use XHTML files to describe the view. Also in your web.xml configuration mostly you find a mapping of the FacesServlet to something like “/faces/*” or “*.faces”, so that you have URLs like:

http://myserver:port/context/coolPage.faces (or .jsf)

Now, it is easy to view the source code of the page, when the application is written with Facelets’ XHTML files. Just do the following:

http://myserver:port/context/coolPage.xhtml

You now see the page structure, what libraries are used etc. This type of “Open source” you definitely want to avoid, when using Facelets. You could write a security filter or something similar, but the soultion could be really really simple.

Use the following servlet-mapping in your web.xml:


...
  <servlet-mapping>
    <servlet-name>faces</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
  </servlet-mapping>
...

No more “Open Source” of your Facelets application ;-)

Categories: apache · facelets · jsf · myfaces · web²

7 responses so far ↓

  • Odi // November 28, 2008 at 4:58 pm | Reply

    Can you not just put these files in a WEB-INF subdirectory? I usually do that with JSPs as well, when they are just called by a controller servlet (like Spring etc). That makes them automatically inaccessible by the default servlet.

  • cagataycivici // November 29, 2008 at 1:25 am | Reply

    WEB-INF/*.xhtml will require a new custom viewhandler, not possible by default. JSF has a weakness in this case.

  • fiorenzo // November 29, 2008 at 2:31 pm | Reply

    Hi Mathias,
    good title for good post!

    Your solution doesn’t work in similar applications to my old jsf/richfaces web app.
    I used the dual context-param to serve both xhtml page that jsp.
    I used jsp for pdf print and xhtml for all crud features.
    Actually i use alternative method, like to http://threebit.net/mail-archive/itext-questions/msg04296.html, for pdf question and only xhtml.

    But with this configuration:

    <context-param> 
    <param-name>javax.faces.DEFAULT_SUFFIX</param-name> 
    <param-value>.jsp</param-value> 
    </context-param> 
    <context-param> 
    <param-name>facelets.VIEW_MAPPINGS</param-name> 
    <param-value>*.xhtml</param-value> 
    </context-param> 

    and:

    <servlet> 
    <servlet-name>Faces Servlet</servlet-name> 
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
    </servlet> 
    <servlet-mapping> 
    <servlet-name>Faces Servlet</servlet-name> 
    <url-pattern>*.xhtml</url-pattern> 
    </servlet-mapping> 
    <servlet-mapping> 
    <servlet-name>Faces Servlet</servlet-name> 
    <url-pattern>*.jsp</url-pattern> 
    </servlet-mapping> 

    I have an infinitive loop with:
    Servlet.service() for servlet Faces Servlet threw exception
    java.lang.NullPointerException: FacesContext is null

    bye

    Fiorenzo

  • Hazem Ahmed Saleh // November 29, 2008 at 10:02 pm | Reply

    Very cool idea :) .

  • Rafael Ponte // December 3, 2008 at 3:47 am | Reply

    Good post, this solution is really really really simple!

  • VoFFka // January 17, 2009 at 1:34 pm | Reply

    It’s better to store web content inside WEB-INF folder to avoid “open source” ;)

  • breskeby // February 1, 2009 at 10:28 pm | Reply

    never thought about this problem with this simple solution. thx.

Leave a Comment