I would like to add to my JSF application the programmatic security concept, but I wold like to know if it is possible to manage the realm /users of grassfish v. 3 server with a jsf page, to avoid to configure the server for any new user.
My advice is to look at Spring Security. You don't have to care about what your application server is. You can go about fine grain access controlling. It's not difficult to add Spring Security to an already available application. Have a look at the following:
Programmatic security is not considered the optimal way to secure applications. Programs can have bugs and the last place you want bugs is in security. Plus changing the security architecture requires rewriting the security code, and that often means modify the application logic.
Declarative security is preferable, where possible. Because, unlike program code, declarations have a fairly small number of possibilities, it's much easier to secure an application and it's often possible to design, build, and test the app without including security code within the application itself.
The J2EE standard provides role-based declarative security as a built-in feature, controlled by definitions in the web.xml file. This is quite adequate for many web applications. For more extensive/finer-grained control, you can pair it with a third-party framework such as Spring Security.
Most application developers - and architects - have no business designing their own custom security systems. They invariably do it very badly. It takes both an especially evil mindset and a pretty extensive amount of education to know how to design and implement a security system. And even the pro jobs get exploited on occasion. Far better to let someone else be responsible for that part of the system. Use a rtrusted security framework.
Customer surveys are for companies who didn't pay proper attention to begin with.