The Java EE 5 Tutorial

Restricting Access to JavaServer Faces Components

In addition to identifying the FacesServlet instance and providing a mapping to it, you should also ensure that all applications use FacesServlet to process JavaServer Faces components. You do this by setting a security constraint.

    To set a security constraint using NetBeans IDE, do the following:

  1. Expand the node of your project in the Projects pane.

  2. Expand the Web Pages and WEB-INF nodes that are under the project node.

  3. Double-click web.xml.

  4. After the web.xml file appears in the editor pane, click Security at the top of the editor pane.

  5. Click Add Security Constraint.

  6. Enter a name for the constraint in the Display Name field.

  7. Click Add to add a web resource collection.

  8. In the Add Web Resource dialog:

    1. Enter a name for the web resource collection in the Resource Name field.

    2. In the URL pattern field, enter the path to a JSP page to which you want to restrict access, such as /response.jsp. Use commas to separate multiple patterns.

    3. Click OK.

    To set a security constraint by editing the deployment descriptor directly, add a security-constraint element, and inside the security-constraint element, add the following:

  1. Add a display-name element to identify the name of the constraint.

  2. Add a web-resource-collection element.

  3. Inside the web-resource-collection element, add a web-resource-name element that identifies the purpose of the collection.

  4. Add a url-pattern element inside the web-resource-collection element and enter the path to a JSP page to which you want to restrict access, such as /response.jsp.

  5. Continue to add URL patterns for all the JSP pages to which you want to restrict access.