The logged-in user is also available in unsecured pages. You could just perform a logged-in check by checking the presence of HttpServletRequest#getRemoteUser()
and a role check by HttpServletRequest#isUserInRole()
and render restricted components accordingly.
E.g., show "login to edit" button only when user isn't logged in:
<h:commandButton
value="Login to edit" action="#{auth.login}"
rendered="#{empty request.remoteUser}" />
And show "edit" button only when user is logged in, or has the desired role:
<h:commandButton
value="Edit" action="#{someBean.edit(someItem)}"
rendered="#{not empty request.remoteUser}" />
<!-- or -->
<h:commandButton
value="Edit" action="#{someBean.edit(someItem)}"
rendered="#{request.isUserInRole('ADMIN')}" />