hiding pages behind WEB-INF?

I am using JSF and facelets. I am looking for a way to hide my pages. The Struts equivalent is putting pages under the WEB-INF directory. I can�t figure out how to do this with JSF. Any ideas?

What do you mean by "hide my pages" ? May be you want to hide your code ?

J meant to protect his pages from public access.

What you can do is provide a "gateway" page outside of WEB-INF, and use some forwarding/redirecting/include mechanism in your gateway to access pages in WEB-INF.

Doing this with Facelets should not be too hard.
[ January 10, 2007: Message edited by: Hung Tang ]

Hung, I'm not clear on this gateway page. Do you have a sample? It almost sounds like this gateway would act as a filter.

The basic idea is that you'd have a servlet as a gateway to all JSP pages that you want to protect. Instead of accessing the JSP directly, you'd access the servlet, and pass the name of the JSP you really want to show as a parameter. The servlet can then forward to that JSP (which could be located in WEB-INF, because servlets have access to that).

I'll use Facelets as an example. Below is fragment of what I call a "gateway" page. It uses a template approach and includes template.xhtml, which is hidden behind /WEB-INF. Hope this helps.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:h="http://java.sun.com/jsf/html"> <body> <ui:composition template="/WEB-INF/template.xhtml"> <ui:define name="title">Example</ui:define> </ui:composition> </body> </html>

Gateway or as I'd call it 'View Resolver' can be done if you are using Spring.

I think I did a project recently doing this with Facelets.

Ok, I think I got it. Thanks for the help.

Hi J,
I also have the similar problem. I want to keep all the jsp's under WEB-INF. But the navigation is not working.

Navigation is as follows
indes.jsp --> first.jsp --> second.jsp

Here except index.jsp, remaining jsp's are in WEB-INF/jsps folder.

Sample code for faces-config.xml is

<navigation-rule>
<from-view-id>/index.jsp</from-view-id>
<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/WEB-INF/jsps/first.jsp</to-view-id>
</navigation-case>
<navigation-rule>
<from-view-id>/WEB-INF/jsps/first.jsp</from-view-id>
<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/WEB-INF/jsps/second.jsp</to-view-id>
</navigation-case>

The first navigation rule index.jsp --> first.jsp is working properly, but not the second one. I don't follow gateway/view resolver concept exactly.

We use spring framework along with JSF in our project. would you please give me possible solution for my problem.

Regards
Ravi

Sorry, I can�t provide an example. I will have a need to do this in an upcoming project, but I have not put an example together yet. This is still on my to do list. If someone else has a working example, I am also interested to see this in action.

I'm pretty sure may latest attempt at The Perfect Webapp does, in fact hide the facelets tiles in WEB-INF. Same basic rules apply as when doing it in Struts. As long as whatever is assembling the pages knows how to resolve the component URI's, hidden files are just find.

I�ve put a example together, but WEB-INF does not seem to hide the pages. For example, after putting my facelets layout page in a subdirectory under WEB-INF, the page will render if the url is typed in. Or otherwise said, I typed in the following url and the layout was displayed.

http://localhost:9080/FaceletsWeb/faces/WEB-INF/pages/layouts/layout.jspx

I�m puzzled. I thought that you could not access pages behind WEB-INF with a browser.
[ February 07, 2007: Message edited by: J Haley ]

http://localhost:9080/FaceletsWeb/faces/WEB-INF/pages/layouts/layout.jspx

The WEB-INF directory in question must be the one that contains the web.xml file; it should be in a directory at the top of the document hierarchy. If it is somewhere below that (as seems to be the case with this URL, since it is two levels deep at /FaceletsWeb/faces) the name and the directory are not considered special, and any documents it contains will be served.

I only have one WEB-INF directory. �FaceletsWeb� is my context root. And �faces� is my servlet-mapping in web.xml. If I type my url without �faces�, WEB-INF hides my pages, but the problem comes in when I include �faces�.

Ah, so the URL doesn't describe a file that is being accessed directly, but instead it instructs the servlet to access that file. As was said before, any server code (the servlet) can access and serve files from anywhere it can get them, including the WEB-INF directory. The URL is actually telling it to do precisely that. And like you said, trying to access to file directly is prohibited. So it sounds to me like all is working as it should.

Precisely. As I've been known to point out occasionally, a WEB server is NOT a FILE server. A URL is a resource locator string, not something that has an inherent meaning the way a filesystem path does.

The confusion arrives because A) URLs are normally constructed with a syntax that closely resembles that used by Unix filesystems and because B) the most common way of resolving a resource is for the web server (or web application server) is for it to break the URL into components and use the components as the names of directories and files.

However, in J(2)EE, this default resolution is overridden when you pass the URL to a servlet (or a JSP - which is compiled to produce a servlet, so same difference). The servlet is free to deconstruct a URL in any way it desires, and return any type of data it wishes to. Or, in the case of MVC-style servlet frameworks such as JSF and Struts, to dispatch work to an action process, then bounce the results to a second servlet - the JSF or Struts view JSP. Which view JSP is targeted, of course, determined by the navigation rules and directives defined by the application developer in the struts-config.xml or its JSF equivalent.

If a URL is not routed to a servlet - meaning that it doesn't match any of the routing patterns defined in the webapp's WEB-INF/web.xml resource then the default action kicks in, which is to strip the host and context parts out of the URL and use the rest as a filename path, PROVIDED that the root of said filename path is not /WEB-INF. For those exceptions, the proper response is a 404 error.

Notice I didn't say WEB-INF/web.xml FILE, I said RESOURCE. That's because WARs in their purest forms are in zipfile format, so the WEB-INF/web.xml "file" isn't actually a discrete filesystem object, thus not a file in the literal sense. And within the context of a deployed webserver the same can be said of the WAR itself, but that's another matter.

So, since the appserver client isn't allowed to see WEB-INF or its subordinates via URLs, it's an ideal place to hide things. And, since the components of the webapp can see WEB-INF and its subordinates (as web app resources), they can pull that information out and do anything they want with it, including build up JSPs from it. All that's required is an understanding of how the rules are applied.

Ok, I get it. I did not have a proper understanding of how this worked. Thanks for clearing this up.

Two more follow ups
1. Sounds like there is no point in hiding faces or facelet templates pages behind WEB-INF since the faces servlet mapping will find them.

2. In JSF, if I have a multi-page wizard. Sounds like I�ll have to create my own logic to prevent the user from accessing the pages out of order. By out of order, I mean prevent them from bypassing page 1 by typing in page 2's url. If I remember correctly with Struts. All I had to do was hid my wizard pages behind WEB-INF

Regarding both questions, I wouldn't say that. I don't know much about JSF, but I assume that there is a way to hook in some code of yours whenever a request goes through the /faces/ URL. In that code you can check which URL is accessed, and then take all required steps to make sure that all accesses are "proper", i.e. not pages you don't want accessed at all, and no pages out of order (by including some sequence ID in the requests).