First, check to see if Spring Security is doing validation all by itself or if it's hooked into
JEE standard security. In the case of JEE standard security, you'd have defined a
login page and a
loginfail page in
/WEB-INF/web.xml or an equivalent, and in that case there would be no actual application logic because login is handled by your webapp server and not by the application. The loginfail page can simply be static HTML content.
Regardless, I do recommend that a "login fail" page should not have any fancy logic on it because the extra logic/controls allow the potential to weasel past security in the post-loginfail section of the webapp. I prefer a stark basic HTML fail page. Dead end.
As far as using the
p:messages tag itself goes, roughly speaking, the application code has to obtain the
FacesContext and use the
addMessage() method to add your custom message(s) to the set of FacesMessages being sent to the client.