I just have a query about how to use JSF with roles and URLs restricted by a security-constraint defined in the web.xml file. In non-JSF land this is easy to use since the action of the form can be set to a particular URL and the standard role based URL access will kick in to either allow or prevent access to it depending on the role of the user.
Since JSF takes this control away from you, I'm now wondering if declarative role based control is possible in JSF, or is it something that now has to be done programatically in the code i.e. HttpServletRequest.isUserInRole(). My hope was to use the declaritive method since it's easier to impliment.