This almost has to be a stupid question, but I'm lost on it.
From the browser I can access my page.xml files.
From there if you View Source, it's there for you. I don't have anything I'm super worried about in there, but it could give a potential attacker some hints as to architecture, security and whatnot.
What's the right way to secure those resources (and any other non-xhtml resources that may be in the view tree).
Put the following in web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>XML</web-resource-name> <url-pattern>*.xml</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
This is a candidate for the documentation.