JSF 2 Access on Facelet Files

I am starting to explore JSF 2 facelet and I would like to test this in a simple project.

I just have some query regarding the file structure in JSF 2. When I was using Spring, I use to put all my pages under WEB-INF so that they wont be accessible to the browser.

I notice in JSF 2, you should put your *.xhtml outside of WEB-INF and allow access to them thru the Faces Servlet.

Question, does this mean that all enterprise application that utilizes JSF always put a security constraint in their web.xml?

<security-constraint>
    <web-resource-collection>
        <web-resource-name>XHTML files开发者_如何学编程</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint> 

Or they are using some sort of a filter, that traps all incoming request and then reject request that has *.xhtml?

Is my understanding correct and if so which one is more apt to be used?

Thanks

---

A third alternative in JSF 2.x is to map the FacesServlet just straight on *.xhtml instead of *.jsf or whatever. This way you don't need to cobble with security constraints or filters to prevent endusers from directly accessing *.xhtml files. It has the only disadvantage that you cannot serve "plain vanilla" XHTML files without invoking the FacesServlet, but that would in turn already not make much sense, because such files should technically have the *.html extension.

Please note that this doesn't work in old JSF 1.x. The FacesServlet would run in an infinite loop invoking itself again and again.