Exclude css & image resources in web.xml Security Constraint

Question

I am using JSF2.1 and Glassfish 3.1.2.

I specify a security constraint to block everything:

Answer 1

It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:

RESOURCE_IDENTIFIER

public static final java.lang.String RESOURCE_IDENTIFIER

Resource#getRequestPath returns the value of this constant as the prefix of the URI. handleResourceRequest(javax.faces.context.FacesContext) looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.

See Also:

Constant Field Values

The constant field values says the following:

public static final java.lang.String    RESOURCE_IDENTIFIER    "/javax.faces.resource"

So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.