This discussion is archived
3 Replies Latest reply: Jul 25, 2012 6:45 PM by EJP RSS

Session management in JSF

REDO LOG Newbie
Currently Being Moderated
Hi all
I am confused with how to manage users session when logged to my web app (jsf 2.0 primefaces 3.3.4 and glassfish server 3)

I actually use a UserBean class

that has the following:


/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
package beans;

import java.io.IOException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.annotation.Resource;
import javax.faces.application.FacesMessage;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import javax.faces.context.FacesContext;
import javax.faces.event.ComponentSystemEvent;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.sql.DataSource;

/**
*
* @author ouboujlal
*/
@ManagedBean(name="userBean")
@SessionScoped
public class UserBean {


private String username;
private String password;
private boolean isLoggedIn;
private String role;

public String getRole() {
return role;
}

public void setRole(String role) {
this.role = role;
}
@Resource(name = "jdbc/memdb_connection")
private DataSource ds;




public void setPassword(String password) {
this.password = password;
}

public String getPassword() {
return password;
}

public String getUsername() {
return username;
}

public void setUsername(String username) {
this.username = username;
}

public boolean isIsLoggedIn() {
return isLoggedIn;
}

public void setIsLoggedIn(boolean isLoggedIn) {
this.isLoggedIn = isLoggedIn;
}



public String login()
throws ClassNotFoundException, InstantiationException, IllegalAccessException, SQLException {


String url = "index.xhtml";

String test = isValid(username,password);



if (!"false".equals(test)) {
isLoggedIn = true;
//here is to test if the user is an admin or just a normal user
if("normal".equals(test)){
url = "welcome.xhtml";
}else{
url = "adminTemplate.xhtml";
}

} else {

FacesContext.getCurrentInstance().addMessage("form", new FacesMessage("Invalid Username and or Password"));
}
return url;
}



public void logout(){

isLoggedIn = false;

}




public String isValid(String username, String password)
throws ClassNotFoundException, InstantiationException, IllegalAccessException, SQLException {


Connection connection = ds.getConnection();

Statement stmt = connection.createStatement();

ResultSet rset = stmt.executeQuery("select username, password, role from user where user.username = '" + username + "' and + user.password = '" + password + "'");

if (!rset.next()) {
return "false";
} else {
return rset.getString("role");
}


}

private void doRedirect(String url) {
try {
FacesContext context = FacesContext.getCurrentInstance();
context.getExternalContext().redirect(url);
} catch (IOException e) {
}
}

public void verifyUseLogin(ComponentSystemEvent event) {
if (isLoggedIn == false) {
doRedirect("index.xhtml");
}
}

/**
* Creates a new instance of UserBean
*/
public UserBean() {
}
}



and the login form is :



<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:pou="http://primefaces.org/ui">
<h:head>
<title>Facelet Title</title>
<link rel="stylesheet" type="text/css" href="./resources/css/indexCss.css" />
</h:head>
<h:body>

<div id="loginForm">
<pou:panel header="Login" widgetVar="dlg" style="width: 500px;height: 180px;" >
<h:form id="form" >



<h:panelGrid columns="2" cellpadding="5">
<h:outputLabel for="username" value="Username:" />
<pou:inputText value="#{userBean.username}"
id="username" required="true" label="username" />

<h:outputLabel for="password" value="Password:" />
<pou:password value="#{userBean.password}"
id="password" required="true" label="password" />
</h:panelGrid>


<h:panelGrid columns="2" style=" margin-left: 85px; margin-bottom: 30px;" >
<pou:commandButton id="submittButton" value="Connect" type="submit" action="#{userBean.login()}" ajax="false" style=" margin-left: 16px;" />
<pou:commandButton id="resetButton" value="Reset" type="reset" />
</h:panelGrid>


</h:form>
</pou:panel>
</div>

</h:body>
</html>







I have read that we can also use HttpServletRequest then HttpSession to retrieve the elements submitted in the form

wich one is more secure and reliable? because in my case ie the Managed Bean class UserBean I just check the validity of the user login with a boolean variable

if there is any help, advice, example I will be thankful


thanks for help
best regards rachid

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points