Login/main page forwarding and Facelets

I'm trying to make a simple JSF project wich shows a login page, if the user is not logged, or the main application's screen, if it is. I'm trying to do this declaring the following in my index.xhtml:

<c:if test="#{userSession.logged}"> <ui:include src="main.xhtml"> <!-- wich is a facelet template client, with CSS and stuff --> </c:if> <c:if test="#{!userSession.logged}"> <ui:include src="login.xhtml"> </c:if>

Due to the use of Facelets + CSS I'm getting visually messed up pages that are shown up correctly after pressing the refresh button. What I'm looking for is an equivalent to a <ui:forward> tag, just like there used to be in JSP. Am I using the wrong approach? I've searched stuff about using PhaseListener, FacesContext, JSP and so on, but I want an approach that uses the most JSF/Facelets markups and separates the navigation logic from the backing beans.

PS.: It has been years since I made my last registration in a code forum, and I've searched a lot already, with no success.

Welcome to the JavaRanch, Kaue!

Don't use JSTL with JSF. That's what's messing you up. JSTL is designed to work with JSPs and JSF View Definitions are not JSPs, even when given the ".jsp" file extension.

Login pages are fine for learning, but I should warn you that never in a long and evil career in J2EE that dates back to before JSPs were even invented have I ever encountered a J2EE webapp that used its own login system and had any security worth speaking of. And that includes financial and military webapps. Most of them didn't last 5 minutes under attack.

The J2EE standard includes a very reliable security specification based on making the webapp container manage security. It's simple to configure and code for and I've never heard of an incident where it has been broken when applied correctly.

About the simplest and most reliable way to make Do It Yourself logins work is to use a ServletFilter. If the user isn't logged in, redirect to the login process. This has the advantage of working with both JSF and non-JSF request handlers, and in fact, the same code works just as well in non-JSF webapps. It's about the least insecure way of doing security yourself.

I really do wish that people who write books on J2EE would stop using login pages as examples, though. We have enough security problems on the Internet without starting people down the wrong track from the beginning.