Since you don't say, I would assume given your requirement you want all pages to require login except the login page (makes sense). This can be accomplished through the following:
<pages login-view-id="/auth/login.xhtml"> <page view-id="*" login-required="true"/> <page view-id="/auth/login.xhtml" login-required="false" /> ...
you can also use basic Servlet-container security to achieve a similar result:
<security-constraint> <web-resource-collection> <web-resource-name>restricted-urls</web-resource-name> <url-pattern>/myapp/auth/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <!--user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint--> </security-constraint>
where 'auth' is a directory in your web application that contains pages requiring authentication. Of course you would not put your login page in the auth directory.