You may also declare a security-constraint in web.xml like that: <security-constraint> | <display-name>Restrict XHTML Documents</display-name> | <web-resource-collection> | <web-resource-name>XHTML</web-resource-name> | <url-pattern>*.xhtml</url-pattern> | <url-pattern>/mail/*</url-pattern> | <url-pattern>/templates/*</url-pattern> | </web-resource-collection> | | <auth-constraint> | <description>Only Let 'developer's access XHTML pages</description> | <role-name>developer</role-name> | </auth-constraint> | </security-constraint> I got it from facelets developers guide. I like it 'cause I can restrict complex structures and not only some files. Ricardo Memória View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4016838#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...