JSF HTTP Session Login

by

You can in JSF get/set HTTP session attributes via ExternalContext#getSessionMap() which is basically a wrapper around HttpSession#get/setAttribute().

@Named
@RequestScoped
public class LoginController {

    private String username;
    private String password;

    @EJB
    private UserService userService;

    public String login() {
        User user = userService.find(username, password);
        FacesContext context = FacesContext.getCurrentInstance();

        if (user == null) {
            context.addMessage(null, new FacesMessage("Unknown login, try again"));
            username = null;
            password = null;
            return null;
        } else {
            context.getExternalContext().getSessionMap().put("user", user);
            return "userhome?faces-redirect=true";
        }
    }

    public String logout() {
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        return "index?faces-redirect=true";
    }

    // ...
}

In the Facelets page, just bind the username and password input fields to this bean and invoke login() action accordingly.

<h:form>
    <h:inputText value="#{loginController.username}" />
    <h:inputSecret value="#{loginController.password}" />
    <h:commandButton value="login" action="#{loginController.login}" />
</h:form>

Session attributes are directly accessible in EL. A session attribute with name user is in EL available as #{user}. When testing if the user is logged in some rendered attribute, just check if it’s empty or not.

<h:panelGroup rendered="#{not empty user}">
    <p>Welcome, #{user.fullName}</p>
    <h:form>
        <h:commandButton value="logout" action="#{loginController.logout}" />
    </h:form>
</h:panelGroup>

The logout action basically just trashes the session.

As to checking an incoming request if an user is logged in or not, just create a Filter which does roughly the following in doFilter() method:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {    
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);
    String loginURI = request.getContextPath() + "/login.xhtml";

    boolean loggedIn = session != null && session.getAttribute("user") != null;
    boolean loginRequest = request.getRequestURI().equals(loginURI);
    boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER);

    if (loggedIn || loginRequest || resourceRequest) {
        chain.doFilter(request, response);
    } else {
        response.sendRedirect(loginURI);
    }
}

Map it on an url-pattern covering the restricted pages, e.g. /secured/*, /app/*, etc.

See also:

More Related Contents:

  1. JSTL in JSF2 Facelets… makes sense?
  2. How to provide a file download from a JSF backing bean?
  3. JSF Controller, Service and DAO
  4. When should I use h:outputLink instead of h:commandLink?
  5. Retaining GET request query string parameters on JSF form submit
  6. Unicode input retrieved via PrimeFaces input components become corrupted
  7. Trying to understand immediate=”true” skipping inputs when it shouldn’t
  8. How to call JSF backing bean method only when onclick/oncomplete/on… event occurs and not on page load
  9. Difference between View and Request scope in managed beans
  10. How to use in or to select multiple items?
  11. Display database blob images in inside
  12. JPA Entity as JSF Bean?
  13. How to make number input area initially empty instead of 0 or 0.00?
  14. com.sun.faces.numberOfViewsInSession vs com.sun.faces.numberOfLogicalViews
  15. When using @EJB, does each managed bean get its own @EJB instance?
  16. Naming Container in JSF2/PrimeFaces [duplicate]
  17. How control access and rights in JSF?
  18. how to do autocomplete=”off” at form level in JSF
  19. How to add tooltip to f:selectItems
  20. Calling Managed Bean Method From JavaScript [duplicate]
  21. JSF + PrimeFaces: `update` attribute does not update component
  22. Is it possible to disable f:event type=”preRenderView” listener on postback?
  23. Bookmarkability via View Parameters feature
  24. p:commandButton vs. h:commandButton
  25. c:forEach inside primefaces(e.g. p:panelgrid) inside ui:repeat
  26. action is only invoked on second click
  27. Why doesn’t JSF 2.0 RI (Mojarra) scan my class’ annotations?
  28. JSF/Facelets: why is it not a good idea to mix JSF/Facelets with HTML tags?
  29. Calling Primefaces dialog box from Managed Bean function
  30. Pass method argument/parameter to composite-component action attribute

Leave a Comment