The Filterhomework does a great job of spelling correctly, but it is less convenient to maintain / reuse because it is closely related to the web application in question. Java Security, managed by the Java EE container and Spring Security, offers an API that is the same and can be used for every web application. This may be easier for developers / technicians who work on several different projects and want to implement and support them. While relatively easy to implement, homegrown Filterjust violates DRY .
By the way, I would not recommend using PhaseListenerfor this, because it concerns only JSF requests, and not other requests, such as static CSS / JS / HTML files and "simple" JSP files.