I have been using Thymeleaf for some time on a single developer project and that has worked out very well.
I am using the Thymeleaf Spring dialect in a standard Java EE project structure. The problem is that the designer can't just work easily with Thymeleaf templates in webapp/WEB-INF/templates, because, without a server running, those templates don't find their static resources in e.g. webapp/css.
I can work around this problem using a bunch of ../../ and th:src, but that creates a need for a lot of extra template code, that I would like to avoid.
A simple solution that occurred to me was to simply move the Thymeleaf templates to webapp/ and configure the Thymeleaf templateResolver to look in webapp/ for it's templates. That would allow the static and dynamic resource paths to be the same, avoiding the undesirable template code.
I have set this up experimentally and it seems to work quite well, but I have some concern about deviating from the Java EE standard/best practice.
1. Am I opening up any security vulnerabilities by placing my templates in a publicly accessible area generally reserved for static files?
2. Is there any other reason, besides loosing a 'rich' hierarchical project structure that I should consider before making this change permanent?
I would say for:
1. - yes
2. what do you think about placing HTML stuff into /web-app or even /resources folder (for designer) and later put them all into /WEB-INF/templates (/html) by build script as alternative variant?
I'm on early stage project development with Spring+MVC+WebFlow and now I'm turning view layer from JSP (which is in /WEB-INF/views/ folder) into thymeleaf HTML+tiles2 (which is in /WEB-INF/templates/).
I still have two viewResolvers, two view versions and reworking JSP to HTML one by one.
What you've done - move templates into the content directory to avoid all the extra template code - is actually what I do for my personal projects :)
The reason moving templates is a security concern is that every servlet/application container is configured to serve content out of that directory, so someone could get your raw template code by going to <your-website>/<context-root>/NameOfTemplate.html (or however you've mapped your application to public URLs).
What I've done, and what you will want to consider doing if you don't want any of those resources to be accessed unintentionally, is capture requests for your templates or any resource you'll be serving out of there that you never want other people to see, and then prevent access, maybe returning a 404 error code. This can be done with a 'catch-all' servlet (mapped to the /* or *.html URL pattern for just templates), or by configuring your servlet container, or (if your application will be fronted by a web server) by configuring the web server.