Now, we'll see a solution to make our JSF pages and components secure. In Chapter 13, Working with Servlets and JSP, we exposed the security configuration of a web application in the web.xml descriptor file. As the Servlet specifications represent the base structure for the JSF applications, the web.xml remains an important configuration.

So, consider this security configuration in the web.xml descriptor file:

<security-constraint>
   <web-resource-collection>
      <web-resource-name>Authenticated</web-resource-name>
      <description></description>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>user</role-name>
      <role-name>admin</role-name>
      <role-name>guest</role-name>
   </auth-constraint>
</security-constraint>
<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>Rubia Forums</realm-name>
</login-config>
<security-role>
   <role-name>user</role-name>
</security-role>
<security-role>
   <role-name>admin</role-name>
</security-role>
<security-role>
   <role-name>guest</role-name>
</security-role>

Summing up, the configuration secures all the pages of the web application through a default basic login form and by giving access only for the user, admin, and guest roles.

This configuration guarantees only access to the application. It doesn't cover the single access to a page or a piece of a page that an unauthorized user must not access despite them having generic permission to access the application.