The entry here are roles or principals (comma delimited list) that are allowed to have access to path.

JSF navigation does not support security declaration; however, this specification could be implemented within the handler. In which case, it would produce an outcome that would result into a login or warning page should the security requirement not be met.