Since you don't say, I would assume given your requirement you want all pages
to require login except the login page (makes sense). This can be accomplished
through the following:
| pages login-view-id=/auth/login.xhtml
| page view-id=* login-required=true/
|
| page
you can also use basic Servlet-container security to achieve a similar result:
| security-constraint
| web-resource-collection
| web-resource-namerestricted-urls/web-resource-name
| url-pattern/myapp/auth/*/url-pattern
| /web-resource-collection
|