Marco Ehrentreich wrote:... But this way you can have one Servlet to respond to this "static" URL and you must give it all additional information for page navigation etc. with POST HTTP parameters.
... And that "one Servlet"
won't be the FacesServlet, which has its own ideas about what goes into a URL. So this approach fails for JSF apps.
Do-It-Yourself security is a
really bad idea. Unlike "Hello, World", security isn't something that untrained children can do. The people who designed the industry-standard security systems are professional experts in security, some of them do basically nothing
but security, they all get together and argue about exploits, run lots of
test cases, open the standards up for field trials, run mathematical proofs ... and
still have exploits turn up. Although in their case, it's usually several years, and the platforms are designed so that when it happens, there are ways to rapidly mitigate the problem without having to rewrite major system components.
"Clever" people are almost never as clever as they think they are. They make assumptions that only honest people are going to break in (which is kind of a contradiction), they don't know the common exploits, and they don't build on proven principles. As a result, most of the DIY security I've run into over the years has basically been nothing but soggy cardboard.