The J2EE version 6 standard encourages the use of Java Server Faces (JSF) for web applications. However, the structure of a JSF-based application means that the ability to do fine-grained, declarative access control is lost. This paper suggests a mechanism for introducing fine-grained, declarative access control to the JSF world. In addition, this paper suggests a mechanism to enforce the notion of a single session (only one active session per user).