Re: possible security issue
Lincoln Baxter III
Thanks for mentioning this. It’s definitely a concern, though I might go as far as to say that it’s orthogonal to PrettyFaces in the respect that security should be handled at a resource level.
PrettyFaces exposes an additional resource URL, but cannot “block” the underlying resource by default because that might break existing references; this is what a security package should be used for (as you mentioned as well.)
I think your solution is correct (there are many ways to do this,) but I personally use Seam-Security, and block all
.xhtml files according to certain patterns.
You could even use an inbound rewrite rule to forward all non-mapped requests to a specific “access denied page”
<rewrite match="*.xhtml" substitute="/access-denied" redirect="chain" outbound="false"/>
or something like that…
It’s probably worth mentioning in the FAQ / Documentation.