a workaround for custom login bean

For the past days I've been trying like crazy to create a jsf loginBean for my app but I did not find a working example nor figured it out by myself, so I came with a, what a believe to be ugly, solution, as follows:

HTML Code:

---

<p:dialog id="dialog" widgetVar="dlg" closable="false" draggable="false" resizable="false" header="Login" visible="true">
            <h:form>   
                <p:panelGrid columns="2">

                    <p:outputLabel for="username" value="Usuário:"/>
                    <p:inputText id="username"
                                title="Preencha com o seu usuário (login)."
                                required="false"
                                value="#{loginBean.usuario}"/>

                    <p:outputLabel for="password" value="Senha:"/>
                    <p:password id="password"
                                title="Preencha com a sua senha."
                                required="true"
                                value="#{loginBean.senha}"/>

                    <f:facet name="footer">
                        <p:commandButton value="Entrar"
                                        actionListener="#{loginBean.doLogin}"
                                        oncomplete="handleLoginRequest(xhr, status, args)"/>
                    </f:facet>

                </p:panelGrid>
            </h:form>

<form id="form_spring" hidden="true" action="j_spring_security_check" method="post"> 
                <h:panelGrid columns="2" cellpadding="3"> 
                    <h:outputLabel for="j_username" value="Login:" /> 
                    <p:inputText
                        id="j_username" required="true" label="login" />                   
                    <h:outputLabel for="j_password" value="Senha:" /> 
                    <p:password feedback="false" minLength="6" 
                                id="j_password" required="true" label="senha" /> 
                </h:panelGrid> 
                <center>   
                    <h:commandButton id="b_login" value="Login" style="width:80pt"/>
                </center>
            </form>
        </p:dialog>
<script type="text/javascript"> 
            function handleLoginRequest(xhr, status, args) {

                if(args.validationFailed || !args.loggedIn) {
                jQuery('#dialog').effect("shake", { times:3 }, 100); 

                } else { 

                    dlg.hide();

                    document.getElementById("j_username").setAttribute("value", document.getElementById('login').getAttribute('value'));

                    document.getElementById("j_password").setAttribute("value", document.getElementById('senha').getAttribute('value'));

                    document.getElementById("b_login").click();
                } 
            }
           
            function setVariab(){
                document.getElementById("j_username").setAttribute("value", "");
                document.getElementById("j_password").setAttribute("value", "");
            }
        </script>

---

It consists of a form withina form, the second being triggered by the first one, if the user input return true from the loginBean.doLogin.
My point is: this is obviously a preposterous solution, but it works.
I would like to know if there's some kind of security breach or problems with that, and if someone can give/point me a functional example of a @ManagedBean/@Named controller for login, please!