Bart, do you mean "JAAS" or "container-managed" security. They're 2 different things, although most
J2EE servers support JAAS as one of the options for container-managed security realms.
It's not really that hard to use container-managed security in JSF, as long as you make allowances for the funny games that JSF URLs play. The "redirect" option is your friend there.
On the other hand, user-defined login/security frameworks have a pretty poor track record for both security and reliability, which is why I spend a lot of time discouraging their use. In fact, at the moment, one of my main projects has a DIY security system that I
thought was one of the cleaner and more reliable ones. Until I discovered the loophole that would allow wholesale abuse of credit
cards by relatively unsophisticated means.
The ViewExpiredException is one of the biggest warts on JSF. I put a filter in one of my apps that intercepts them, but it doesn't cover quite all the bases. JSF2 provides some extra hooks that will improve things, although the app in question hasn't been converted yet, so that option's out for the moment.