Java EE 5 / EJB 3 / JSF 1.2, using Facelets / ICEfaces 1.8.2
I'm authenticating my users with JAAS, but I think that simple role-based authorization is insufficient for my needs—my users' permissions need to be computed out of data in JPA entities. I'd like to add to certain pages a check that gets some entities from an EJB, does a little bit of logic, then either lets you proceed to the page, or sends an HTTP 401 status, depending on the result.
I've looked at the Java EE 5 Tutorial on securing Web appliations, and found it unhelpful.
I've found some web sites that recommend using servlet filters, but those sites are mostly a few years old. Has something better come along, or should I use a servlet filter?