see the resource file, message.properties. under the path resource/WEB-INF/
Yes I checked there first but that was not my problem. My problem was that I had a redirect to a secure page that was happening regardless of whether login in was successfull and relying on the fact that the secure page would restrict access as there was not authenticated user - So this explains why I get the message
please log in first, i guess this is somthing in the framework as I removed the property from the message.properties and you still get that message under the redirect scenario.
The fix was to add a if statement that checked if the user was authenticated in the pages.xml and only redirect if so.
However I still have the issue that the @Valid annotation placed on my entity bean in the action class is not producing any validation messages, though I can add my my own message to the facesContext programatically in the action class.