Actually, I'd bet I could still use container-based security. Authentication with a security server is not really a problem. For standard database or LDAP, the stock
Tomcat Realms should manage that (if you're using Tomcat or something like
JBoss with embedded Tomcat).
For a "countdown" indicator, it's a little more interesting. I'd actually probably favor a "nag" message in the page header or footer with a link to the code that connects to the security maintenance API. On the other hand, if you want to simply flash up a post-login page, that can be done with a little help from a
servlet filter.
I have something like that right now. When a page request comes in, I check for a session. If there's no session, I'm not logged in. If there is a session, I check to see if I've cached the user's profile as a session object (since JSF can create sessions even when you're not logged in). If there's a UserPrincipal attached to the HttpServletRequest, that means that someone's logged in, so if I don't have a profile in the session, I fetch one, using the UserPrincipal as the key and place it in the session.
I'll admit that there are a few gaps in the functionality of the basic
J2EE CBS framework, but I've found them easy to fill. But there are more gaps in general JSF itself at the moment (like bookmarkable URLs), so I haven't reallyhad to spend too much time or effort on security.
I did have to write a custom realm for my latest app, though. It authenticates against a database, but the user's requirement was for case-insensitive user ID's. Which is perfectly reasonable - just gimmick up the SQL a bit. But oddly there's no option for case-sensitivity in the standard Tomcat database realms. So I subclassed them and added a case-folding option. Less than a day's work, and I can use this realm not only for the current app, but for any other webapp with similar requirements. Including third-party webapps that use container-based security.
If this kind of stuff doesn't appeal to you though, I'd recommend that you implement your security checks in a servlet filter. The absolute worst place to put authentication detection is in the business part of the app, for reasons I've already mentioned. Using a filter can give you much the same effect as CBS - it can guard the gate against all comers and not just the expected ones. It won't give you as much portability as an externally-supplied security manager, and you won't be able to take advantage of the J2EE security methods and resources, but at least it's a lot safer than per-view security.