[Jean-Francois Bilodeau]

I’m having fun developing a JSF application, but there’s something that confuses me about the servlet mapping.

For instance, in the JSFLoginExample, the index.jsp provides a link to userLogin.faces. All is well when one clicks on the link. However, if Clever Bob sees the .faces extension, there’s nothing stopping him from changing the extension to .jsp (or jsf, of whatever), and land on the view.

In the case of JSFLoginExample, the app blows up, but in the real world, that seems kinda clunky.

How do you ‘hide’ your views in JSF so they can’t be invoked directly via the URL? That would remove the last cloud of mystery that I can’t wrap my head around in JSF…

Thanks in advance!

[ernestz]

You could always provide a servlet filter to ‘hide’ or otherwise redirect all requests for .jsp/.jsf to the equivalent .faces request.

[Jean-Francois Bilodeau]

@ernestz wrote:

You could always provide a servlet filter to ‘hide’ or otherwise redirect all requests for .jsp/.jsf to the equivalent .faces request.

Thanks ernestz,

I’ve got the same answer elsewhere and I’ve also tried security constraints. They work, but I was hoping there was a more ‘graceful’ way of doing it. Another possibility is to store them in the WEB-INF folder, but from what I understand, that’s not a recommended approach.

[Author]

Posts