Hide .xhtml source - facelets/icefaces?

I'm new to Icefaces and Facelets both, but I'm using them on a new project. I've got everything working configured and working fine. However, when I visit mywebapp/file.xhtml, the entire facelets template source comes up in my browser. How could I hide this to prevent users from viewing my server-side templates?

Solution

Put all templates into WEB-INF/someDirectory/templates.

Then according to the facelets documentation put this inside your web.xml for all other xhtml files:

<security-constraint>
    <display-name>Restrict XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Only Let 'developer's access XHTML pages</description>
        <role-name>someone</role-name>
    </auth-constraint>
</security-constraint>

Jakarta Faces 4 / TomEE 10 - Nested composites, same attribute name causes StackoverflowError
Custom Json serialization format for MonetaryAmount JSR354 / moneta, how to register the Serializer properly
How to let UriBuilder build an URI with decoded hash character?
How set Response body in javax.ws.rs.core.Response
Difference between interceptors and decorators
How do you prevent a user from posting data multiple times on a website
Response 403 forbidden at simultaneously ajax request using Jakarta EE and Glassfish Server
WildFly localhost 'forbidden' access
What is a "host only" cookie?
Are CDI.current().select().get() and BeanManager.getReference() functionally equivalent?
Error: `callbackHandler` may not be null when connecting to HDFS using Kerberos in Jakarta EE
Jakarta faces issue: DI is not available
How does a server work and different clients?
Why is Java frequently used for enterprise applications?
Websocket: maintain user session after page reloading
Can't send a message send a message from DLQ in Payara, I get a javax.jms.IllegalStateException: MQJMSRA_DS4001: commit():Illegal for a non-transacted
JakartaEE 10 OpenIdAuthenticationMechanism failed with Auth0
What are Interceptors in Java EE?
When is a database called as an Embedded database?
Compiling just one class in netbeans in a web app
Create a HashSet By Enumeration
JAX-WS Web service on Tomcat without sun-jaxws.xml
BCrypt in my Spring Security project (Spring security)
EJB TimerService : schedule task to run every 90 seconds
Are Java EE server components compiled?
Wildfly deploy failed: JBAS014671 and WFLYCTL0080 - Access is denied
Deserializing JSON array with JSON-B
Displaying binary images on JSP page
What' the purpose of @Named annotation
I deployed WAR on Tomcat but I can't access my controller?