Lolz, you misunderstood me! I don't have the intention to build a security model relying on the http referrer or similar stuff instead of seams security model. I just want to send different responses for security exceptions depending on the view id that is accessed. E.g. I normally would redirect to some page showing the proper message - "You don't have the necessary rights", "Please login", ... But for a part of my site - e.g. /admin/* - I would like to return only a 404 if the user isn't logged in or isn't in the role 'admin'. This way normal users can't prove that /admin exists and wont start fiddling with it. I hope it's clearer now ;) - anyway: thanks for the warning. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035529#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...