I'm trying to define some composite components in my web application. According to the tutorials i read, i have to place the xhtml files inside a resource folder located in webcontent. This solution is problematic, given that it would make those files available for public access from an url. Is there a way to put this components inside the web-inf folder, and make the jsf look for the files there? If not, is there another way to avoid direct access?
Thanks.
P.S.: I have looked into this answer, and if i understood BalusC's answer correctly, what I intend to do is possible.
"Composite components" are not exactly the same as "compositions" in the question/answer you found. The OP was clearly talking about compositions as in <ui:include> files which are including <ui:componsition> content.
You effectively want to prevent direct access to /resources. This can be achieved by adding the following security constraint entry to web.xml:
<security-constraint>
<display-name>Restrict direct access to JSF resources</display-name>
<web-resource-collection>
<web-resource-name>JSF resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint /><!-- Empty auth constraint! -->
</security-constraint>
As per the upcoming JSF 2.2, this would not be necessary anymore as it allows you to move the whole /resources folder into /WEB-INF by the following configuration entry in web.xml:
<context-param>
<param-name>javax.faces.WEBAPP_RESOURCES_DIRECTORY</param-name>
<param-value>WEB-INF/resources</param-value>
</context-param>
来源:https://stackoverflow.com/questions/13861612/prevent-direct-access-to-composite-components-by-placing-them-inside-web-inf