One of the reasons why I recommend using the
J2EE standard security system is because you don't have to do convoluted things like this when you use it. Although the main reason is because, as I've said too many times, it's because I've never run into a user-designed security system that was actually secure. And in your specific case, ANY request from a logger-out user to a secured URL would automatically redirect to a login without a single line of
Java code required.
I would not use
JSF for this kind of task, in any event. It would at best only be secure in cases where each and every submitted URL with security implications was a JSF URL, and that's rarely the case for me. Requests to
servlets to create reports, requests to JSPs to create XML files, stuff like that would not go through JSF and therefore would not go through a phase listener. A servletlistener is a better place to put stuff like this.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.