1. If you use the "Code" button in our message editor, it will create wrapper tags for your sample Java and XML that will make them easier to read.
2. It is incorrect to name a user-written class "xxxController" in JSF. All of the JSF MVC Controllers are pre-supplied in JSF. You only create View and Model objects.
3. Java has a pre-written, pre-debugged security (login system) that's part of the J2EE standard and has been for well over a decade. Please don't write your own login code except for study purposes. I've seen more java webapps than I can count that used user-written login code and not only were all of them insecure, most of them could be worked around by non-technical people in 10 minutes or less. The J2EE security system was designed by security professionals and I've never heard of it being hacked.
4. JSF is an Inversion-of-Control framework. As long as you have defined your backing bean's JSF context properly using annotations or entries in faces-config.xml, JSF will construct the bean as needed and use its internal controllers to automatically transfer data (bean properties) to and from the View. All your action methods have to do to get the form values is use the backing bean's "get" methods.
5. Your h:message tag is for your form, but I don't think forms ever produce messages. If you want messages related to specific controls, use the "for=" attribute to reference the id of the control you wish the message to be about. To get ALL messages displayed, use the "h:messages" tag. This is a good debugging trick, since JSF's contract says that if ANY control on the form has an invalid value, the JSF controller will not update the backing bean or invoke its action method.
6. Your example is JSF Version 1 code. JSF version 2 has been out a long time now. It uses xhtml instead of "JSP"s for its View Templates.
An IDE is no substitute for an Intelligent Developer.