发生这种情况是因为您在web.xml的FacesServlet配置中指定了/faces/*.结果，任何请求的与指定的url模式不匹配的文件都将作为带有GET请求的常规文件. 将该配置更改为以下内容，以确保所有与JSF相关的请求都通过FacesServlet:

This is happening because you've specified /faces/* in your FacesServlet configuration in the web.xml. As a result, any file requested that does not match the specified url pattern will be served as a regular file with a GET request Change that config to the following to ensure all JSF related requests go through the FacesServlet:

   <servlet-mapping>
       <servlet-name>Faces Servlet</servlet-name>
       <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>

这可确保在返回客户端之前，将处理所有具有.xhtml扩展名的文件.

This ensures all files with .xhtml extension will be processed before returning to the client.

尽管上述解决方案可以解决当前的问题，但您遇到的问题却指向更深层次的安全问题.它指示具有浏览器的任何人都可以从Web应用程序部署以及文件系统其他部分中请求并下载工件.这是您需要研究的安全漏洞.选项取决于您的App服务器

While the above solution may solve the immediate problem, what you're experiencing points to a deeper security issue. It indicates that anyone with a browser can request and download artifacts from your web application deployment and possibly other parts of your filesystem. This is a security hole you will need to look into. The options vary depending on your App server