Class FacesServlet

java.lang.Object
jakarta.faces.webapp.FacesServlet
All Implemented Interfaces:
Servlet

public final class FacesServlet extends Object implements Servlet

FacesServlet is a Jakarta Servlet servlet that manages the request processing lifecycle for web applications that are utilizing Jakarta Faces to construct the user interface.

If the application is running in a Jakarta Servlet 3.0 (and beyond) container, the runtime must provide an implementation of the ServletContainerInitializer interface that declares the following classes in its HandlesTypes annotation.

This Jakarta Servlet servlet must automatically be mapped if it is not explicitly mapped in web.xml or web-fragment.xml and one or more of the following conditions are true.

  • A faces-config.xml file is found in WEB-INF

  • A faces-config.xml file is found in the META-INF directory of a jar in the application's classpath.

  • A filename ending in .faces-config.xml is found in the META-INF directory of a jar in the application's classpath.

  • The jakarta.faces.CONFIG_FILES context param is declared in web.xml or web-fragment.xml.

  • The Set of classes passed to the onStartup() method of the ServletContainerInitializer implementation is not empty.

If the runtime determines that the servlet must be automatically mapped, it must be mapped to the following <url-pattern> entries.

  • /faces/*
  • *.jsf
  • *.faces
  • *.xhtml

Note that the automatic mapping to *.xhtml can be disabled with the context param DISABLE_FACESSERVLET_TO_XHTML_PARAM_NAME.

This class must be annotated with jakarta.servlet.annotation.MultipartConfig. This causes the Jakarta Servlet container in which the Jakarta Faces implementation is running to correctly handle multipart form data.

Some security considerations relating to this class

The topic of web application security is a cross-cutting concern and every aspect of the specification address it. However, as with any framework, the application developer needs to pay careful attention to security. Please consider these topics among the rest of the security concerns for the application. This is by no means a complete list of security concerns, and is no substitute for a thorough application level security review.

Prefix mappings and the FacesServlet

If the FacesServlet is mapped using a prefix <url-pattern>, such as <url-pattern>/faces/*</url-pattern>, something must be done to prevent access to the view source without its first being processed by the FacesServlet. One common approach is to apply a <security-constraint> to all facelet files and flow definition files. Please see the Deployment Descriptor chapter of the Jakarta Servlet Specification for more information the use of <security-constraint>.

Allowable HTTP Methods

The Jakarta Faces Specification only requires the use of the GET and POST http methods. If your web application does not require any other http methods, such as PUT and DELETE, please consider restricting the allowable http methods using the <http-method> and <http-method-omission> elements. Please see the Security sections of the Jakarta Servlet Specification for more information about the use of these elements.