Home/ Questions/Q 969561
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T02:39:39+00:00

I’m here facing a problem with a Java web project. The project I’m working

  • 0

I’m here facing a problem with a Java web project. The project I’m working on has been made with standard jsp mixed up with jsf pages.
The main page of the application, called main.jsp is a standard jsp page that needs to access a managed bean with session scope created within a servlet filter used to check the authentication of the user.
In my web.xml I have set up that faces engine must respond to .jsf and /faces/* request

  <filter-mapping>
    <filter-name>extensionsFilter</filter-name>
    <url-pattern>*.jsf</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>extensionsFilter</filter-name>
    <url-pattern>/faces/*</url-pattern>
  </filter-mapping>

If I open my application with http//myserver/myapp/faces/main.jsp everything works fine.
If I open my application with http://myserver/myapp/main.jsp I’ll get an error because the faces context hasn’t been created yet.
Neither setting the welcome page nor setting the apache redirect I’m able to let the application open the right page (main.jsp within the faces context) when the users simply type h**p://myserver/myapp on their browsers: that’s because the page /faces/main.jsp phisically doesn’t exist.

I guess there could be 2 solution: being able to let the faces context start even outside the /faces/* pattern, or find a way to let tomcat redirect to /faces/main.jsp even if the page doesn’t exist… but I failed everything I tried.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Just do not open your application by http://myserver/myapp/main.jsp, but rather by http://myserver/myapp/faces/main.jsp or (more preferred) http://myserver/myapp/main.jsf.

    If your whole concern is that the endusers shouldn’t be able to access the JSP pages outside the url-pattern of the FacesServlet (else this question would not make much sense 😉 ), then go for the *.jsf pattern and add a security-constraint with an empty auth-constraint on *.jsp pattern to the web.xml. This should take care that the endusers won’t be able to request *.jsp URL’s directly.

    <security-constraint>
    <display-name>Restrict direct access to JSP files</display-name>
    <web-resource-collection>
        <web-resource-name>JSP files</web-resource-name>
        <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

    This is not directly possible when you’re using /faces/* mapping. I’d get rid of it in web.xml as well.

    Further, to cover endusers who are typing http://myserver/myapp, then just define main.jsf as welcome-file in web.xml and get rid of the other definied welcome files. In Tomcat (and possibly also other servletcontainers) you’ll however need to create an empty file with exactly that name to fool the server that the file exists on disk.

    • 0