After these questions:
- https://stackoverflow.com/questions/8589315/jsf2-dynamic-template
- Dynamic ui:include
- How can I retrieve an object on @WindowScoped?
- How can I check if an object stored with @WindowScoped is stored correctly?
- ICE Faces and error in creation of a bean in WindowScoped
that I wrote all to resolve a \"stupid\" issue for the JSF2 framework, the fact that I can\'t link directly to a page stored in a /WEB-INF subfolder. After that I did some research on Google and Stackoverflow I would know a thing: How do I structure a JSF2 web project?
In particular, where exactly do I put the XHTML pages?
Files in /WEB-INF folder are indeed not publicly accessible by enduser. So you cannot have something like http://localhost:8080/contextname/WEB-INF/some.xhtml. That would be a potential security hole as the enduser would be able to view among others /WEB-INF/web.xml and so on.
You can however use the /WEB-INF folder to put master template files, include files and tag files in. For example, the following template client page.xhtml which is placed outside /WEB-INF and is accessible by http://localhost:8080/contextname/page.xhtml:
<ui:composition template=\"/WEB-INF/templates/template.xhtml\"
xmlns=\"http://www.w3.org/1999/xhtml\"
xmlns:f=\"http://java.sun.com/jsf/core\"
xmlns:h=\"http://java.sun.com/jsf/html\"
xmlns:ui=\"http://java.sun.com/jsf/facelets\"
>
<ui:define name=\"content\">
...
<ui:include src=\"/WEB-INF/includes/include.xhtml\" />
...
</ui:define>
</ui:composition>
The advantage of placing master templates and include files in /WEB-INF is that the enduser won\'t be able to open them directly by entering/guessing its URL in the browser addres bar. The normal pages and template clients which are intented to be accessed directly must not be placed in /WEB-INF folder.
By the way, the composite component files are in turn also not supposed to be publicly accessible, however they are by specification required to be placed in /resources folder which is by default publicly accesible. If you make sure that you access all resources using the therefor provided components so that they are never accessed by /resources in URL (but instead by /javax.faces.resource), then you can add the following constraint to web.xml to block all public access to the /resources folder:
<security-constraint>
<display-name>Restrict direct access to the /resources folder.</display-name>
<web-resource-collection>
<web-resource-name>The /resources folder.</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 柔情千种 的文章《Which XHTML files do I need to put in /WEB-INF and》','https://www.manongdao.com/article-1529.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}