Can you please raise this in JIRA?
My apps simply have their own secure login pages so I don't have a best practice, but I'll help hash something out. I suppose my first question is. Are you using Facelets? My knee jerk solution to this would be to write a simple <my:loginForm> tag with Facelets that used a regular html form and an https action URI. The action URI can be backed by a servlet that would get everything sorted. When it's all said and done you end up being redirected to your app's home jsf page with a new secure session and populated identity.
Sure it would be nice if some nice jsf framework provider did all the work for you. Fortunately I don't think it's that much work and should fit the requirements. I'm sure Seam will eventually get there, they just need to step back and think about the problem. I think they've been burnt rushing into things in the past.
Thank you for the responses.
Shane, it looks like a JIRA was already opened on the subject (see my link), but I could open another if you think its best?
I am using facelets and I agree it would probably not be too much trouble to roll my own solution. I've just been trying to do things the "seam" way first.
I also agree that its best for the Seam team to move carefully, especially in the area of security. It just had me wondering if there wasn't a good reason for not supporting a scheme attribute and perhaps a larger issue I should be aware of. After all, its not really a seam issue, JSF doesn't support it either.
Anyhow, for us, we decided to replace our login form on the home page with a link to the login form instead.
Thanks for the help.