I know that I can restrict page access in web.xml using <security-constraint>, or that I could write custom phase listeners or web filters that would check the auth status for each request.
What bugs me about these approaches is that I am defining which resources are off-bounds in a different place than the resources themselves, i.e. I have to remember to update the URL patterns of my filters or the web.xml when I create or move JSF's xhtml files.
What I would like to have is something similar to an annotation directly on the file.
I've seen people use the <f:preRenderView ...> tag in their xhtml files, which comes very close, but I feel that that's way too late in the JSF lifecycle.
What options do I have?
Or is this not advisable at all?
