If the application is running in a Servlet 3.0 (and beyond) container, the runtime must provide
an implementation of the
javax.servlet.ServletContainerInitializer interface that
declares the following classes in its
javax.servlet.annotation.HandlesTypes annotation.
-
javax.faces.annotation.FacesConfig
-
javax.faces.application.ResourceDependencies
-
javax.faces.application.ResourceDependency
- javax.faces.bean.ManagedBean
-
javax.faces.component.FacesComponent
-
javax.faces.component.UIComponent
-
javax.faces.convert.Converter
-
javax.faces.convert.FacesConverter
-
javax.faces.event.ListenerFor
-
javax.faces.event.ListenersFor
-
javax.faces.render.FacesBehaviorRenderer
-
javax.faces.render.Renderer
-
javax.faces.validator.FacesValidator
-
javax.faces.validator.Validator
This servlet must automatically be mapped if it is not explicitly mapped in
web.xml
or web-fragment.xml
and one or more of the following conditions
are true.
-
A faces-config.xml
file is found in WEB-INF
-
A faces-config.xml
file is found in the META-INF
directory of a jar in
the application's classpath.
-
A filename ending in .faces-config.xml
is found in the META-INF
directory of a jar in the application's classpath.
-
The javax.faces.CONFIG_FILES
context param is declared in web.xml
or
web-fragment.xml
.
-
The Set
of classes passed to the onStartup()
method of the
ServletContainerInitializer
implementation is not empty.
If the runtime determines that the servlet must be automatically mapped, it must be mapped to the
following <url-pattern
> entries.
- /faces/*
- *.jsf
- *.faces
- *.xhtml
Note that the automatic mapping to
*.xhtml can be disabled with the context param
#DISABLE_FACESSERVLET_TO_XHTML_PARAM_NAME.
This class must be annotated with
javax.servlet.annotation.MultipartConfig. This causes
the Servlet container in which the JSF implementation is running to correctly handle multipart
form data.
Some security considerations relating to this class
The topic of web application security is a cross-cutting concern and every aspect of the
specification address it. However, as with any framework, the application developer needs to pay
careful attention to security. Please consider these topics among the rest of the security
concerns for the application. This is by no means a complete list of security concerns, and is no
substitute for a thorough application level security review.
Prefix mappings and the FacesServlet
If the FacesServlet
is mapped using a prefix <url-pattern>
, such
as <url-pattern>/faces/*</url-pattern>
, something must be done to
prevent access to the view source without its first being processed by the
FacesServlet
. One common approach is to apply a <security-constraint> to all
facelet files and flow definition files. Please see the Deployment Descriptor
chapter of the Java Servlet Specification for more information the use of
<security-constraint>.
Allowable HTTP Methods
The JSF specification only requires the use of the GET and POST http methods. If your web
application does not require any other http methods, such as PUT and DELETE, please consider
restricting the allowable http methods using the <http-method> and
<http-method-omission> elements. Please see the Security of the Java
Servlet Specification for more information the use of these elements.