Writing a filter that blocks direct .xhtml access shouldn't be too hard. I wouldn't expect facelets to perform a web request to access the .xhtml files, so you should be able to 404 any direct HTTP access. I'm not 100%, but this should be easy enough to test. Either just write the filter, or look at the HTTP request log during expected usage. Even if facelets makes a web request for some reason, it should come from localhost or your local IP. You can adjust your filter to permit that access. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973153#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...