Avoiding “Open Source” with JSF and Facelets

When using Facelets it is normal to use XHTML files to describe the view. Also in your web.xml configuration mostly you find a mapping of the FacesServlet to something like “/faces/*” or “*.faces”, so that you have URLs like:

http://myserver:port/context/coolPage.faces (or .jsf)

Now, it is easy to view the source code of the page, when the application is written with Facelets’ XHTML files. Just do the following:

http://myserver:port/context/coolPage.xhtml

You now see the page structure, what libraries are used etc. This type of “Open source” you definitely want to avoid, when using Facelets. You could write a security filter or something similar, but the soultion could be really really simple.

Use the following servlet-mapping in your web.xml:


...
  <servlet-mapping>
    <servlet-name>faces</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
  </servlet-mapping>
...

No more “Open Source” of your Facelets application😉

Howdy!

Posted in apache, facelets, jsf, myfaces, web²
10 comments on “Avoiding “Open Source” with JSF and Facelets
  1. Odi says:

    Can you not just put these files in a WEB-INF subdirectory? I usually do that with JSPs as well, when they are just called by a controller servlet (like Spring etc). That makes them automatically inaccessible by the default servlet.

  2. cagataycivici says:

    WEB-INF/*.xhtml will require a new custom viewhandler, not possible by default. JSF has a weakness in this case.

  3. fiorenzo says:

    Hi Mathias,
    good title for good post!

    Your solution doesn’t work in similar applications to my old jsf/richfaces web app.
    I used the dual context-param to serve both xhtml page that jsp.
    I used jsp for pdf print and xhtml for all crud features.
    Actually i use alternative method, like to http://threebit.net/mail-archive/itext-questions/msg04296.html, for pdf question and only xhtml.

    But with this configuration:

    <context-param> 
    <param-name>javax.faces.DEFAULT_SUFFIX</param-name> 
    <param-value>.jsp</param-value> 
    </context-param> 
    <context-param> 
    <param-name>facelets.VIEW_MAPPINGS</param-name> 
    <param-value>*.xhtml</param-value> 
    </context-param> 

    and:

    <servlet> 
    <servlet-name>Faces Servlet</servlet-name> 
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
    </servlet> 
    <servlet-mapping> 
    <servlet-name>Faces Servlet</servlet-name> 
    <url-pattern>*.xhtml</url-pattern> 
    </servlet-mapping> 
    <servlet-mapping> 
    <servlet-name>Faces Servlet</servlet-name> 
    <url-pattern>*.jsp</url-pattern> 
    </servlet-mapping> 

    I have an infinitive loop with:
    Servlet.service() for servlet Faces Servlet threw exception
    java.lang.NullPointerException: FacesContext is null

    bye

    Fiorenzo

  4. Rafael Ponte says:

    Good post, this solution is really really really simple!

  5. VoFFka says:

    It’s better to store web content inside WEB-INF folder to avoid “open source”😉

  6. breskeby says:

    never thought about this problem with this simple solution. thx.

  7. In my facelets hello world doesn’t work.

    javax.faces.DEFAULT_SUFFIX
    .xhtml

    Faces Servlet
    javax.faces.webapp.FacesServlet
    1

    Faces Servlet
    *.xhtml

  8. wulph says:

    I use this setting in web.xml

    Restrict raw XHTML Documents

    XHTML
    *.xhtml

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: