All the textbooks seem to mention container-managed security but I have always stayed away from it. In every application I have done so far I have implemented application-managed authentication, which gives you much more flexibility with regard to how authentication is done. The price of course is you will have to allocate a couple of days to implementing and fiddling with it.
The key to making it easy is to 1) incorporate the authentication right in your Facelets template that all pages use so you always have it, and 2) have a @SessionScoped bean which holds the state of the user login. In the application I am working on now the top part of the template looks like this:
<div id="top" class="top" style="min-height: 40px">
<h:form id="formLogout" style="float: right"
rendered="#{userSession.loggedIn}">
<h:outputText
value="Logged In As: #{userSession.sysUser.handle} "
rendered="#{userSession.loggedIn}" />
<p:commandLink value="Logout"
ajax="false"
action="#{userSession.logoutUser}" />
</h:form>
<h:panelGrid style="float: right" rendered="#{!userSession.loggedIn}" >
<h:form id="formLogin">
<h:outputLabel value="User Handle: " />
<p:inputText size="16" value="#{userSession.loginHandle}" />
<h:outputLabel value=" Password: " />
<p:password value="#{userSession.loginPassword}" />
<p:commandButton value="Login"
ajax="false"
action="#{userSession.login}" />
<h:link outcome="/newUser" value=" New User" />
<h:commandLink action="#{userSession.loginAlan}" value="A" />
</h:form>
</h:panelGrid>
<h:link outcome="/index" value="MyWebApp v#{wisApp.ver}" />
<h:outputText value=" " />
</div>
I'll not bore you with the UserSession bean since it should be pretty obvious. The **sysUser** property is actually a JPA entity fetched from the Derby data base.
(Note the extra **h:commandLink value="A"**. That's a link that automatically logs *me* in so I don't have to type my username and password over and over again while developing.)
That should probably be what you need.