I have a JSF application which is secured by a custom security framework (similar to SITE MINDER). The security framework after authentication passes the authenticated user name within a in-memory session cookie.
The entire user information like his group and access restrictions (field / UI compoonent level) resides in the application database
I have used a filter to JSF Faces servlet to retrieve the user information from the database and storing in session.
Is this use of filter a good approach?
I would fetch such information only once and store it in a simple session scoped bean after a successful login, but I am weird for wanting to do things in a simple way.
A filter can work to validate if the user is still "logged in" (IE. his/her session didn't expire), but since this is JSF you could also use a phase listener for such a purpose.