I see a lot of posts around the internet by people asking what the standard mechanism for security is in JSF web applications.
From a security standpoint, JSF applications are no different from any other servlet based framework applications. If you’re deploying applications on J2EE / EE servers (e.g. Glassfish or JBoss) or even on Tomcat, then my first choice would be to use JAAS for security.
JAAS is straightforward to configure, is flexible and is a standard.
Next time you need to implement a security mechanism, I’d recommend you take a look at JAAS before embarking on writing custom security mechanisms. You never know – it may save you a lot of time.