Hi all, I've noticed in my own app and in the booking example that if you know the name of the underlying .xhtml files, you can hit them directly in your browser and download the source. eg: http://localhost:8080/seam-booking/home.xhtml What is the recommended way of blocking this so that only .seam actions are handled? Should I have a servlet mapping for *.xhtml that returns a 404, or will this interfere with the workings of Seam? I think it's a bit of a hole in a webapp to have the template files directly accessible like this. cheers, Daniel. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973140#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...