The
J2Ee standard container-managed security system is very good for this purpose. For one thing, it puts the responsibility for controlling access on the webapp server and not on the webapp, so an ill-intentioned user cannot even ram a bad URL request into the webapp, since the appserver will reject it before it can be passed to application code.
I commonly have an administrative aspect to my major webapps. So I set up my admin View definitions under the resource directory name "admin", which is mapped from the add-relative URL "/admin". Then I setup access controls in web.xml so that only users with an admin role can access these URLS. For example:
That's all that standard J2EE webapps need. However, JSF has one further requirement. You may have noticed that the URL in the browser navigation bar often lags the name of the resource to which it refers. Since the J2EE container security system secures URLs, not resources, you have to prevent that behavior. You can do this easily by including the "redirect" option on the navigation rules (or code) that direct users to the restricted URL.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.