I'm currently using a PhaseListener as below to perform user authorization.

private PhaseId phaseId = PhaseId.RESTORE_VIEW;

@Override
public void afterPhase(PhaseEvent event) {

    FacesContext fc = event.getFacesContext();
    boolean isOnAllowedPage = false;
    String[] allowedPages = choseRightPages(); // chose pages for role

    for (String s : allowedPages) {
        if (fc.getViewRoot().getViewId().lastIndexOf(s) > -1) {
            isOnAllowedPage = true;
            break;
        }
    }

    if (!isOnAllowedPage) {
        NavigationHandler nh = fc.getApplication().getNavigationHandler();
        nh.handleNavigation(fc, null, "prohibited");
    }
}

It does what I want, however I don't see it being listed in How to handle authentication/authorization with users in a database? and this Coderanch topic titled "authorization with phaselistener problem" also mentions the following:

You shouldn't couple authorization that tight with JSF. Better make use of container managed authentication and/or a simple filter acting on an url-pattern covering the protected pages.

I don't exactly understand the limitations of using a PhaseListener instead of a Filter when performing user authorization. Can someone explain it to me?

A PhaseListener is only fired on a JSF request (i.e. a HTTP request which invoked the FacesServlet). It's not fired when a non-JSF request is executed and thus exposes a potential security leak on non-JSF requests. A servlet Filter can be fired on every single HTTP request, regardless of the target servlet.

In other words: HTTP request authorization should not be tied to having the FacesContext available, but to the ServletRequest available. Always try to authorize as "low level" as possible.