The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world.
When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters.
For instance the following URL has several problems :
- The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release
- The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!!
- The part "eAF7P..bLgAIQwM." contains ".."' characters
Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.