Welcome to the JavaRanch, Miguel!
First, a caution. User-designed security systems are almost
universally very insecure. Use a "login page" for learning, but if you want to keep intruders from eating your system, never write your own login/security code for actual Internet applications. Use a professionally-designed and tested security infrastructure such as the
J2EE standard container security system.
You have confused validating data with validating credentials here. JSF itself contains many options for validating form data. Hibernate likewise has the ability to validate data before persisting it. In fact, the two validation systems can even be linked together so that Hibernate's validation can feed JSF's form validation.
But it sounds like what you really want to validate isn't the data, it's the credentials. That is, to verify that the login form (see warning above) has been supplied with a valid user ID/password combination.
When you click a JSF form submit button (commandLink), the action method that you define for the commandLink will be invoked, providing that ALL items on the form being submitted pass JSF validation. JSF validation is automatic and requires no user-written code, just specifications of constraints on the form View Template. Stuff like "required="true"" on inputText controls and any "f:validateXXXX" tags that you supply.
If and
only if
all input controls on the form are found valid by JSF, JSF will update the backing beans with the form values as directed by the "value=" attributes on the input form controls. Then the action method is invoked, and the action method can obtain the user id and password from their corresponding backing bean properties.
In security, the #1 rule is "volunteer NOTHING". Just ask the NSA. So for a user authentication, you don't fetch the user ID and password from the database, you ask the database whether there's a match on the submitted user ID/password.
In SQL terms:
If the returned count is "1", the credentials are valid. If the returned count is 0, the credential are not valid. Any other numbers would indicate that your database design is probably flawed.