Avoiding “Open Source” with JSF and Facelets

When using Facelets it is normal to use XHTML files to describe the view. Also in your web.xml configuration mostly you find a mapping of the FacesServlet to something like “/faces/*” or “*.faces”, so that you have URLs like:

http://myserver:port/context/coolPage.faces (or .jsf)

Now, it is easy to view the source code of the page, when the application is written with Facelets’ XHTML files. Just do the following:


You now see the page structure, what libraries are used etc. This type of “Open source” you definitely want to avoid, when using Facelets. You could write a security filter or something similar, but the soultion could be really really simple.

Use the following servlet-mapping in your web.xml:


No more “Open Source” of your Facelets application 😉



Posted in apache, facelets, jsf, myfaces, web²
10 comments on “Avoiding “Open Source” with JSF and Facelets
  1. Odi says:

    Can you not just put these files in a WEB-INF subdirectory? I usually do that with JSPs as well, when they are just called by a controller servlet (like Spring etc). That makes them automatically inaccessible by the default servlet.

  2. cagataycivici says:

    WEB-INF/*.xhtml will require a new custom viewhandler, not possible by default. JSF has a weakness in this case.

  3. fiorenzo says:

    Hi Mathias,
    good title for good post!

    Your solution doesn’t work in similar applications to my old jsf/richfaces web app.
    I used the dual context-param to serve both xhtml page that jsp.
    I used jsp for pdf print and xhtml for all crud features.
    Actually i use alternative method, like to http://threebit.net/mail-archive/itext-questions/msg04296.html, for pdf question and only xhtml.

    But with this configuration:



    <servlet-name>Faces Servlet</servlet-name> 
    <servlet-name>Faces Servlet</servlet-name> 
    <servlet-name>Faces Servlet</servlet-name> 

    I have an infinitive loop with:
    Servlet.service() for servlet Faces Servlet threw exception
    java.lang.NullPointerException: FacesContext is null



  4. Rafael Ponte says:

    Good post, this solution is really really really simple!

  5. VoFFka says:

    It’s better to store web content inside WEB-INF folder to avoid “open source” 😉

  6. breskeby says:

    never thought about this problem with this simple solution. thx.

  7. In my facelets hello world doesn’t work.


    Faces Servlet

    Faces Servlet

  8. wulph says:

    I use this setting in web.xml

    Restrict raw XHTML Documents


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: