This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
how would you code the login.html and error pages in JSF?
I have only found pure HTML examples for form-based authentication and in my JSF books say nothing about login and security.
Examples for login with JSF use custom beans.
But I think that should not be necessary and even redundant since an authenticated user is automatically propagated through the application.
The J2EE standard security system is Realm-independent. Whether you use JAAS, JDBC, LDAP or a custom Realm of your own, the web.xml settings and the login pages are unchanged. Only the webapp server itself knows or cares.
However, the login pages are not application pages (neither are a number of other pages defined in web.xml, such as error pages). Because these pages are presented by the server itself rather than by the webapp, they don't go through the normal processing channels. Specifically, they don't get routed through the FacesServlet, because these pages have no external URL. Without the FacesServlet, the JSF code and tags cannot function. Struts users have a similar problem.
For that reason, the login forms must be either straight HTML or simple (non-JSF) JSPs.
My login pages are very stark. The more functions and decorations you load a login page with, the greater is the likelihood that security will be compromised.
An IDE is no substitute for an Intelligent Developer.