Actually, "home.xhtml" is a
resource. The
URL would more commonly be something like
https://corporate.portal/MYAPP/home.
jsf JSF (and Facelets) would then deconstruct the URL in order to locate the View resource, then employ that resource (home.xhtm) to construct the HTML page view.
You can redirect a URL to either an absolute or relative path. If you want to build an absolute path from a relative URL, you can use
J2EE functions to get the components of the incoming request URL and steal the parts needed to make your outgoing URL absolute.
The message about "both secure and nonsecure items" has to do with the sub-URLs on the displayed page such as images, CSS and JavaScript. It's saying that at least one of them is "http" instead of "https". Since HTTP is a clear text protocol, a man-in-the-middle attacker could potentially replace the proper content with a malware-infected equivalent, thereby defeating the advantages of having sent the enclosing page via a secure protocol. This is not a JSF issue, it's an HTML page design issue.