What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal.
I realize form-based authentication is a major struggle with JSF, but can I perhaps use a PhaseListener or something similar together with programmatic logon to authenticate the user?
Any other methods I should rather have a look at?
You can use the Spring Security framework, see instructions here http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/
Try to check out the blog for using JAAS with JSF. This is the example of how to deploy the JAAS with JSF for authentication and authorization.
I hope it helps.
Tiger
I use JSF Seam and have used Seam's built-in authentication and authorization and find it extremely easy to use.
For authentication, you simply implement 1 method, public boolean login(String username, a String password) { ... } and returns boolean. Then you can mark pages as "login-required" and seam takes care of the rest.
For authorization, Seam gives you a @Restrict Annotation that you can put on your Controller or Service methods and again, Seam takes care of the rest.
Advanced authorization: You can also handle more advanced authorization with Seam where roles are dynamic - e.g. in a bulletin board you are "author" of some posts, but "reader" or other posts, by simply delegating your @Restrict annotation to a Java method.
I would encourage you to take a look at Seam. Seam is just a layer on top of JSF so technically you would still be running on JSF . If for some reason you cannot use Seam, maybe you can borrow some ideas from how Seam handles Authorization and Authentication in JSF.