In addition to identifying the FacesServlet instance and providing a mapping to it, you should also ensure that all applications use FacesServlet to process JavaServer Faces components. You do this by setting a security constraint.
To set a security constraint using NetBeans IDE, do the following:
Expand the node of your project in the Projects pane.
Expand the Web Pages and WEB-INF nodes that are under the project node.
After the web.xml file appears in the editor pane, click Security at the top of the editor pane.
Click Add Security Constraint.
Enter a name for the constraint in the Display Name field.
Click Add to add a web resource collection.
In the Add Web Resource dialog:
Enter a name for the web resource collection in the Resource Name field.
In the URL pattern field, enter the path to a JSP page to which you want to restrict access, such as /response.jsp. Use commas to separate multiple patterns.
To set a security constraint by editing the deployment descriptor directly, add a security-constraint element, and inside the security-constraint element, add the following:
Add a display-name element to identify the name of the constraint.
Add a web-resource-collection element.
Inside the web-resource-collection element, add a web-resource-name element that identifies the purpose of the collection.
Add a url-pattern element inside the web-resource-collection element and enter the path to a JSP page to which you want to restrict access, such as /response.jsp.
Continue to add URL patterns for all the JSP pages to which you want to restrict access.