Java Developer's Journal published a very good article on security issues in JSF applications. The article consists of three pages. Two first pages provide the neccessary background information with the possible solution. The third page looks like the editors decided not to publish more details and just finish that article as fast as possible. And source code attachment does not work either.
Another link to check is JSF security project on Sourceforge