3 Replies Latest reply on Jul 26, 2012 1:45 AM by EJP

    Session management in JSF

      Hi all
      I am confused with how to manage users session when logged to my web app (jsf 2.0 primefaces 3.3.4 and glassfish server 3)

      I actually use a UserBean class

      that has the following:

      * To change this template, choose Tools | Templates
      * and open the template in the editor.
      package beans;

      import java.io.IOException;
      import java.sql.Connection;
      import java.sql.ResultSet;
      import java.sql.SQLException;
      import java.sql.Statement;
      import javax.annotation.Resource;
      import javax.faces.application.FacesMessage;
      import javax.faces.bean.ManagedBean;
      import javax.faces.bean.SessionScoped;
      import javax.faces.context.FacesContext;
      import javax.faces.event.ComponentSystemEvent;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpSession;
      import javax.sql.DataSource;

      * @author ouboujlal
      public class UserBean {

      private String username;
      private String password;
      private boolean isLoggedIn;
      private String role;

      public String getRole() {
      return role;

      public void setRole(String role) {
      this.role = role;
      @Resource(name = "jdbc/memdb_connection")
      private DataSource ds;

      public void setPassword(String password) {
      this.password = password;

      public String getPassword() {
      return password;

      public String getUsername() {
      return username;

      public void setUsername(String username) {
      this.username = username;

      public boolean isIsLoggedIn() {
      return isLoggedIn;

      public void setIsLoggedIn(boolean isLoggedIn) {
      this.isLoggedIn = isLoggedIn;

      public String login()
      throws ClassNotFoundException, InstantiationException, IllegalAccessException, SQLException {

      String url = "index.xhtml";

      String test = isValid(username,password);

      if (!"false".equals(test)) {
      isLoggedIn = true;
      //here is to test if the user is an admin or just a normal user
      url = "welcome.xhtml";
      url = "adminTemplate.xhtml";

      } else {

      FacesContext.getCurrentInstance().addMessage("form", new FacesMessage("Invalid Username and or Password"));
      return url;

      public void logout(){

      isLoggedIn = false;


      public String isValid(String username, String password)
      throws ClassNotFoundException, InstantiationException, IllegalAccessException, SQLException {

      Connection connection = ds.getConnection();

      Statement stmt = connection.createStatement();

      ResultSet rset = stmt.executeQuery("select username, password, role from user where user.username = '" + username + "' and + user.password = '" + password + "'");

      if (!rset.next()) {
      return "false";
      } else {
      return rset.getString("role");


      private void doRedirect(String url) {
      try {
      FacesContext context = FacesContext.getCurrentInstance();
      } catch (IOException e) {

      public void verifyUseLogin(ComponentSystemEvent event) {
      if (isLoggedIn == false) {

      * Creates a new instance of UserBean
      public UserBean() {

      and the login form is :

      <?xml version='1.0' encoding='UTF-8' ?>
      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml"
      <title>Facelet Title</title>
      <link rel="stylesheet" type="text/css" href="./resources/css/indexCss.css" />

      <div id="loginForm">
      <pou:panel header="Login" widgetVar="dlg" style="width: 500px;height: 180px;" >
      <h:form id="form" >

      <h:panelGrid columns="2" cellpadding="5">
      <h:outputLabel for="username" value="Username:" />
      <pou:inputText value="#{userBean.username}"
      id="username" required="true" label="username" />

      <h:outputLabel for="password" value="Password:" />
      <pou:password value="#{userBean.password}"
      id="password" required="true" label="password" />

      <h:panelGrid columns="2" style=" margin-left: 85px; margin-bottom: 30px;" >
      <pou:commandButton id="submittButton" value="Connect" type="submit" action="#{userBean.login()}" ajax="false" style=" margin-left: 16px;" />
      <pou:commandButton id="resetButton" value="Reset" type="reset" />



      I have read that we can also use HttpServletRequest then HttpSession to retrieve the elements submitted in the form

      wich one is more secure and reliable? because in my case ie the Managed Bean class UserBean I just check the validity of the user login with a boolean variable

      if there is any help, advice, example I will be thankful

      thanks for help
      best regards rachid