If your JSF application uses the standard Java Servlet security mechanisms (<security-role>, <security-constraint>, <login-config>, et al), and your application allows a mixture of public and non-public access, you’ll probably want to make the JSF resource library available to the browsers of both public and non-public users.

Assuming that you’re using the JSF resource library mechanisms (like <h:outputStylesheet>), you’ll need this security constraint:

[xml]


Public Resources
/javax.faces.resource/*




[/xml]

If (like me) you’re mixing use of JSF tags like (<h:outputStylesheet>) with some direct references to resources, you’ll also want to include a URL pattern that allows that direct access:

[xml]


Public Resources
/javax.faces.resource/*
/resources/*




[/xml]

Since these security constraints don’t specify an auth constraint, they are accessible to any browser that requests them. As noted, you can still include a <user-data-constraint> to enable SSL, if you like.