In addition to identifying the FacesServlet instance and providing a mapping to it, you should also ensure that all applications use FacesServlet to process JavaServer Faces components. You do this by setting a security constraint.
To set a security constraint using NetBeans IDE, do the following:
Expand the node of your project in the Projects pane.
Expand the Web Pages and WEB-INF nodes that are under the project node.
Double-click web.xml.
After the web.xml file appears in the editor pane, click Security at the top of the editor pane.
Click Add Security Constraint.
Enter a name for the constraint in the Display Name field.
Click Add to add a web resource collection.
In the Add Web Resource dialog:
Enter a name for the web resource collection in the Resource Name field.
In the URL pattern field, enter the path to a JSP page to which you want to restrict access, such as /response.jsp. Use commas to separate multiple patterns.
Click OK.
To set a security constraint by editing the deployment descriptor directly, add a security-constraint element, and inside the security-constraint element, add the following:
Add a display-name element to identify the name of the constraint.
Add a web-resource-collection element.
Inside the web-resource-collection element, add a web-resource-name element that identifies the purpose of the collection.
Add a url-pattern element inside the web-resource-collection element and enter the path to a JSP page to which you want to restrict access, such as /response.jsp.
Continue to add URL patterns for all the JSP pages to which you want to restrict access.