问题:

The first thing that I must say is that I never use a web filter on Java Web Applications so perhaps it could be a stupid idea.

I'm trying to create a method that could check the privilegies of the user and give the access or not to a certains pages if he can or not access to these pages. For a better explanation I will do an example. You should imagine a crud web application ok? This application have these web pages: List.xhtml (that contains all rows and the links to manage these rows); create.xhtml (as the name tell it is used for create a new row); edit.xhtml (used for modify a row); and view.xhtml (used for view the details of a certain row).

Now I have 2 types of user: administrator and guest ok? The privilegies are simple to imagine, the administrator can do all things and guest can only view the details of the rows.

Which is the problem? The problem is that I hide the links for create and modify a row but if a guest modify the url can enter however into create.xhtml and edit.xhtml and create/modify a row... I read some others question like:

Securing JSF applications and jsf security-contraint to protect link when the user is not signed in?

and I wrote this question:

Are there some issue at inserting some check into template?

and now I'd like to create a generic method to implement the check of privileges. I have the following ideas on how to solve this:

• create a filter like the one in the second linked question and insert a check like "if the user has this privilege for that action do ... otherwise redirect to error.xhtml".
• insert a check directly into the template, like in the third linked question.

Which of these would be the better approach? How is this typically done?