after searching a lot about session maintainning ...didn't get clear answer...so i just popup here for better solution..
1st time using the session in javaweb application...so little bit confused about the way of doing..
now in my application i am coming to login part...
well i have done little stuff for that..
there is one method for checking the right user from database table in my stateles session bean which reside in the ejb module,
also there the web service and the web module which contains jsf and managed bean..
i am calling the method of session bean wia web service..
successfully configure about the registerd user login...but abot the session maintainance got confused of how to do...
here is my work..
well i have redirected after successful login to welcome.jsf
upto this working...now about getting the session value to the new page bt printing the logged username...m confused of how to do...
have tried by using session.getattribute("username") to the other page but not getting value.
so i want to know the proper way of doing it...
as initial stage i have not assigned the user role..
bt want to do as if admin doing login the redirect to the admin's home page..
is it possible ? how to do it..
please guide me...
Post by:Tim Holloway
, Saloon Keeper
Welcome to the JavaRanch, Kreeta,
I don't care how many books start off showing how to use technology with a sample Login process, user-defined security systems are a REALLY bad idea. I've seen more of them than I can count over the years, and I've yet to see one that was really secure, no matter how many Genius Architects designed it. There's a perfectly good security system built right into J2EE itself, it is secure, having been designed by security professionals and tested over more than a decade's worth of use, and it's quite adequate for most applications.
However, considering this as a purely academic exercise, here's some observations:
1. I don't recommend using initial uppercase letters in JSF bean names. It confuses them with classnames. And, in fact, in JSF2, if you use the annotation facility, JSF2 will synthesize its default bean name by folding down the first letter of the bean's classname to lowercase.
2. JSF is all about injection and Inversion of Control. Its normal mode of operation when presented with a View to Render is to locate all the backing beans referenced by the View, and construct those that don't yet exist (including Session beans). If construction is done and there are managed properties on beans, those properties are injected into the beans. You generally only explicitly locate objects if for some reason they could not be injected.
3. As an incidental effect of Item 2, if a View references a Session-scope managed bean, the HttpSession will be created and the constructed session bean will be stored into it which makes it that much harder to treat the existence of a Session as an indication that you're logged in. Destroying (invalidation) a Session will log you out (if you're using container-managed Authentication and Authorization), but presence of a session doesn't mean that you're logged in.
4. Just in case that's what you're attempting here, BTW, it's not a good idea to use objects that belong to other frameworks as backing beans. Entity EJBs and ORM Domain Model objects in particular are bad fits. It's better to have a separate Backing Bean moderate interaction with those objects.