I am using JSF2.1 and Glassfish 3.1.2.

I specify a security restriction to block everything:

<security-constraint> <web-resource-collection> <web-resource-name>Secured Content</web-resource-name> <!-- Block all --> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- only users with at least one of these roles are allowed to access the secured content --> <auth-constraint> <role-name>ADMINISTRATOR</role-name> </auth-constraint> </security-constraint> 

and have different access to a subset of pages and resources:

 <security-constraint> <web-resource-collection> <web-resource-name>Open Content</web-resource-name> <!-- Allow subscribe --> <url-pattern>/subscribe/*</url-pattern> <url-pattern>/javax.faces.resource/*</url-pattern> </web-resource-collection> <!-- No Auth Contraint! --> </security-constraint> 

It works great. However, there is the following

 <url-pattern>/javax.faces.resource/*</url-pattern> 

the correct way to resolve all resources?

I just did this by looking at the URL that Facelets injects into xhtml. Are there security holes with this approach?

Thanks.