OK, I know it's a training exercise, but no matter how many books do this, using a user-designed security system in a webapp is an absolutely horrible thing to do. Probably 90% or more of the web apps I've seen over a long and evil career (JSPs hadn't even been invented when I first used
J2EE) that incorporated DIY login systems could be broken by non-technical personnel in 10 minutes or less. And that includes systems designed by "experts" and used in financial institutions and even military apps.
J2EE/JEE defines a standard container-managed authentication and authorization system. It was designed by full-time security experts, vetted by more experts, and has been in operation essentially unchanged since the year 2000, give or take. And I've never heard of anyone exploiting it.
In almost all cases, in real-world web applications, this is the security/login mechanism I recommend that people use. Life's too short to explain to customers and shareholders why critical customer data is now residing in Ukraine.
So, for the protection of users yet unborn, I plead with your professors to pick some more innocuous example for a simple JSF webapp.
OK, so much for the
Here's where your problem lies. The xhtml resources in your JSF webapp are NOT actual page prototypes. Technically, xhtml is a standardized XML format for HTML documents. Straight HTML has some loopholes in it that make it very bad for machine parsing. What's actually
in the xhtml files is what's known as View Template Language (VTL) or sometimes as View Definition Language (VDL). In JSF version 2 and higher (and properly turbocharged version 1, but that's a long time ago), these view templates are
compiled to product the internal JSF component tree that corresponds to the web page.
It's the component tree that's
rendered to produce the actual HTML output sent to the client. And originally, JSF was intended to support custom renderers, so that alternatives to HTML were also possible. Back then, when mobile devices were less capable, for example, there was an XML format designed for mobile UIs. In theory, also you could render PDF pages with submittable forms on them. And so forth. This is why I discourage the use of raw HTML on View Templates. You render a PDF from a template with a "<div>" on it, and the document text is going to include the "<div>" as verbatim text.
JSF version 2 is more speciically targeting HTML, but it's still good practice to use JSF constructs in place of raw HTML where possible.
So, in brief, the doctype on your VTL (xhtml) file is processing information for the VTL compiler. It instructs the compiler (and many text editors) of the required format for valid xhtml. The doctype on your output page, on the other hand, is generated as part of the JSF page rendering process, and has no relation to the input doctype.