You cannot simply “hide” some information from the URL and nevertheless access it in the backend. PrettyFaces and Rewrite promote the use of RESTful URLs. And RESTful URLs have to contain something to “identify” the resource that you want to address. I for myself don’t believe that hiding such information improves security. You have to make sure that you code does corresponding permissions checks.