If your JSF application uses the standard Java Servlet security mechanisms (
<login-config>, et al), and your application allows a mixture of public and non-public access, you’ll probably want to make the JSF resource library available to the browsers of both public and non-public users.
Assuming that you’re using the JSF resource library mechanisms (like
<h:outputStylesheet>), you’ll need this security constraint:
If (like me) you’re mixing use of JSF tags like (
<h:outputStylesheet>) with some direct references to resources, you’ll also want to include a URL pattern that allows that direct access:
Since these security constraints don’t specify an auth constraint, they are accessible to any browser that requests them. As noted, you can still include a
<user-data-constraint> to enable SSL, if you like.