security - Prevent direct access to composite components by placing them inside /WEB-INF

Question

I'm trying to define some composite components in my web application. According to the tutorials i read, i have to place the xhtml files inside a resource folder located in webcontent. This solution is problematic, given that it would make those files available for public access from an url. Is there a way to put this components inside the web-inf folder, and make the jsf look for the files there? If not, is there another way to avoid direct access?

Thanks.

P.S.: I have looked into this answer, and if i understood BalusC's answer correctly, what I intend to do is possible.

Answer 1

"Composite components" are not exactly the same as "compositions" in the question/answer you found. The OP was clearly talking about compositions as in <ui:include> files which are including <ui:componsition> content.

You effectively want to prevent direct access to /resources. This can be achieved by adding the following security constraint entry to web.xml:

<security-constraint>
    <display-name>Restrict direct access to JSF resources</display-name>
    <web-resource-collection>
        <web-resource-name>JSF resources</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
    <auth-constraint /><!-- Empty auth constraint! -->
</security-constraint> 

As per the upcoming JSF 2.2, this would not be necessary anymore as it allows you to move the whole /resources folder into /WEB-INF by the following configuration entry in web.xml:

<context-param>
    <param-name>javax.faces.WEBAPP_RESOURCES_DIRECTORY</param-name>
    <param-value>WEB-INF/resources</param-value> 
</context-param>