Are filters or phase listers a good way to do security in Java EE 6?
I've been doing it like this lately and find it so much better than XML hell(Spring security) or Glassfish security(because I don't need to have groups or set the tables up a certain way). Is this an ok way to secure Java EE applications? Thanks!
A homegrown Filter is perfectly doable when properly written, but it's less maintainable/reuseable because it's tight coupled to the webapplication in question. Java EE container managed security and Spring Security offers an API which is the same and reuseable for every webapplication. This may end up to be easier for developers/maintainers who are working on multiple different projects and wanted to implement/maintain the same. While relatively easy to implement, a homegrown Filter simply violates the DRY.
By the way, I wouldn't recommend using a PhaseListener for this since this hooks on JSF requests only, not on other requests like static CSS/JS/HTML files and "plain" JSP files.