Well, its just behaving as a WebServer. Can you locate your xhtml files within the WEB-INF so they cant be rendered directly and have your navigation rules point to the locations within WEB-INF?
Also look at the dvdstore example for some snippets that are loaded from the WEB-INF directory.
I realise it's just serving up the files, but this never happens with things like JSPs, because the server would intercept those requests and run the servlet that it has compiled from the JSP instead.
You don't have to put your JSPs under WEB-INF, what a kludge that would be!
I think Seam by default should be configured to not allow direct access to your xhtml facelet code. Does anybody agree, or have I got something wrong?
Writing a filter that blocks direct .xhtml access shouldn't be too hard. I wouldn't expect facelets to perform a web request to access the .xhtml files, so you should be able to 404 any direct HTTP access.
I'm not 100%, but this should be easy enough to test. Either just write the filter, or look at the HTTP request log during expected usage. Even if facelets makes a web request for some reason, it should come from localhost or your local IP. You can adjust your filter to permit that access.
Thanks CptnKirk, I'll give it a go and post the results. This is the direction I was headed in, but wanted a sanity check to see if anybody else has dealt with this some other way, or if anybody else even sees it as an issue.
You could also try setting your Faces Servlet to match on *.xhtml instead of *.seam. I'm not sure if that causes a problem or not. I wish I were closer to a dev environment. These are all quick tests.
For some reason I thought that facelets was still like JSP in that if you screw up and don't go through the JSF servlet things will crash. Not pretty, but secure. I also tend to use a JSP 2.0 jspx like syntax with my facelet pages to get tag JSF completion. That also helps things explode rather than render if someone attempts to access the .jspx file directly.
Let me know what you find. If nothing works, I should be more helpful tomorrow.