To answer your question about security --
PrettyFaces is no more or less secure than using any other bookmarking/URL-rewriting/URL-parameterization strategy (of which there are few.)
Any time you accept input from the URL, you are taking a risk because that data comes directly from the user. PrettyFaces does in fact offer a validation feature that allows for convenient validation of URLs using existing/built-in JSF validators; thus, your security improves if you decide to use these features:
It is highly recommended that you use
both of these features, so keep in mind that if you decide not to use PrettyFaces, you should still do something like this yourself; again,
any data that you accept from the URL is going to be at risk to user attacks - this is not unique to URL-rewriting tools, but you should know that this particular tool makes it easy to resolve these vulnerabilities:
Methods of securing a URL using PrettyFaces:
--
Parameter validation using JSF validators.
--
Parameter restriction using regular expressions.
If either of these validation methods detects invalid data, the default is to abort processing and show the 404 page, just as if you'd entered an invalid URL. If you wish to customize the outcome target when invalid data is detected, you can always do that as well.
Let me know if you have additional questions.
--Lincoln
(Hi Tim & Tanya, glad PrettyFaces is still working out well for you
Let me know if there is anything I can do to help!)
