Hmm, that won't work either, because the processing of the JSF components will have already happened, which means that a bunch of calls were already made to the action.
I'm trying to catch it before any actions get invoked. Maybe a global action entry in the pages.xml file.
Isn't it scary when you're having a conversation with yourself on a forum?
We do that all the time ;)
Seriously, it does make it easier to google solutions for a problem when one talks themself through the solution publicly.
Is it as simple as putting the role constraint in web.xml and including an <error-page> tag for a 403? The problem I was having with interceptors is that I really want to control access to the page rather than the assortment of methods that get called from the page.