The best way is not to write your own login code and use the Java web security system instead. Do-it-Yourself security systems are almost always horribly insecure - security programming is a specialized concept that requires proper training and the ability to think like a truly evil person. Most "real world" web projects treat security as more of an afterthought that has to be done, but done quickly and without a lot of review, since it's not "useful" code.
I'm a little extra sensitive on that topic because in the last week, I've been bombarded with email security alerts from some of the most respected names in the IT industry telling me my passwords may have been stolen. Just this morning I read about security problems with Google apps and a hack to Network Systems. And Network Systems has already had one major breach recently.
So it's time to forget about "toy" security systems. The stuff that comes standard with J2EE was designed and reviewed by security professionals and has had quite a few years to shake down. It's never had a significant failure that I've heard of. And while it might seem awkward and limited, it's actually quite adaptable.
OK, so much for the rant.
It's a fundamental design constraint in JSF that no part of any backing bean may be updated unless ALL parts pass validation. There are 2 primary solutions to that:
1. Place the different controls in different forms. Only one form can be submitted per request, and data in the other forms is ignored, so it won't matter if the data in those forms is not valid.
2. Remove validation. That kind of defeats the idea, but it eliminates the problem.
Sources may include data from the Fakebook Research Foundation with support from Gargle University