I've been experimenting with JSF for some time now and I still don't understand the page navigation part. I know that in JSF, if you aren't using the redirect option in navigation that the URL is one page behind the page you are on.
I've seen articles where people say you should put your pages in a directory under WEB-INF to protect against directly accessing the page. I don't understand how you can create an application that is multiple pages using that option, because won't you run into the problem of having a form with an action URL of WEB-INF/somepage.xhtml?
I've also read articles that say the way to fix this is to add security-constraints to web.xml that prevent "direct access" to pages, when you want your user to follow a page flow, such as start on page1.xhtml, then page2.xthml, then end on page2.xhtml. If page3.xhtml depends on page2.xhtml, the articles I've read say that a security constraint prevents users from simply requesting page3.xhtml out of sequence.
And what happens if the page you are on encounters an error or the session times out, which page handles that? The one you're on, or the one from before that forwarded you to the page you're on?
In this example, should page2.xhtml and page3.xhtml go in the root of the webapps directory, or in a directory under WEB-INF?
Webapps
index.xhtml
page1.xhtml
page2.xhtml
page3.xhtml
WEB-INF
faces-config.xml
web.xml
page-directory
page2.xhtml
page3.xhtml