The JSF 2.3 Expert Group improved security for UIInput components with required="true" via JAVASERVERFACES_SPEC_PUBLIC-1433. However, the improved security is disabled by default in order to maintain strict backward compatibility.
This task involves creating a META-INF/web-fragment.xml descriptor in the master, 4.x, and 3.x branches of the liferay-faces-util project so that all projects that use Liferay Faces will have the improved security enabled by default:
It is not possible to add a META-INF/web-fragment.xml descriptor in the 1.x branch since web-fragment is a Servlet 3.0 feature and the 1.x branch assumes a Servlet 2.5 environment.
Instead, the context-param must be added to each demo portlet individually, such as the jsf-applicant-portlet, etc.
In order to take full advantage of this improved security, developers will need to use JSF 2.3 or upgrade to versions of JSF 2.2, 2.1, or 1.2 that have the improved security feature backported.