As a general rule, JSF webapps have the same security considerations as non-JSF apps, except for one thing.
In JSF, the URL often lags the page, since unlike most web application frameworks, the JSF URL is more of a "handle" to the session than an absolute resource locator.
This has consequences, since if you're using the
J2EE standard container security or something that mimics it, the container security screens are based on the
incoming URL, not on the resource actually being accessed.
The cure for that is to flag all security-critical navigation targets with the "redirect" characteristic. That will force a redirect to an in-sync URL so that the URL security rules and target will match up. It's a bit of additional overhead, so insecure pages would be better off not using that option, but it is essential for secured views to operate properly.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.