inside web.xml, I should be able to protect jsf sources from access using
(to be honest I'm not quite sure how to use it, I read that the default already contains .xhtml along with .class, .jsp, .jspx, .properties.
With the above, I still can access the jsf (xhtml) source.
The old way to put secure jsf sources works, i.e.
will yield HTTP Status 403 - Access to the requested resource has been denied in the browser when trying to access the jsf source (i.e. .xhtml)
Now the first way is much smarter to use (less tags!) - but I wonder if it must be put also inside a security-constraint as well.
I use jBoss-6.0.0.Final with jsf Mojarra reference implementation. The project facet in eclipse is properly set to JSF 2.0 and relative server runtime.
The javax.faces.RESOURCE_EXCLUDES parameter is applied to the FacesServlet in order to control what resources a JSF processing request can pull in. So if anything, I would expect it to interfere with Facelets "include" processing. Unless your FacesServlet URL mappings are strangely-configured, a URL ending with ".xhtml" wouldn't qualify, because it wouldn't be routed to the FacesServlet to begin with.
An IDE is no substitute for an Intelligent Developer.