Recently I ran into this problem. By now it is not possible to setup a form based authentification with a JavaServer Faces form.

The best solution I found was to use the ACEGI security system. It is a great  security framework, fits in perfectly into my Spring application and, the best of all, I am finally using my Service and DAO objects to perform the authentication: no product specific plugins anymore!