I'm new to session tracking. So, need some detailed advice.
I'm having two beans - UserBean(session scope) and StudentDetailsBean(request scope) and I have two JSP pages. In the first JSP page, a user has to login. If the login is successful, then the second JSP page comes up which asks for student details. These details are inserted into the corresponding table in the database. But, in that table, I need to insert the student's userId also which I have to get from the session bean (Userbean.userId). UserId is an attribute of UserBean and not of StudentDetailsBean
What should I add to the code in the StudentDetailsBean that will extract the session variable (UserId) so that I can insert the appropriate UserId for every successful login?
Please let me know how to do this as I haven't used JSF for session tracking earlier.
Writing your own security system is a bad idea. First and foremost, since you'd be the first person I've seen since I started working with J2EE somewhere around 1998 if you actually managed to make a secure security system. Most people's "security systems" are about as secure as soggy cardboard, and that includes the "clever" ones.
Secondly, you don't HAVE to code user-detection logic in when you use the J2EE builtin security. When you let the container manage the primary security functions, it will not long handle the login process, you can easily tell if you're logged in and under what ID just by looking at the HttpServletContext getUser and getUserPrincipal methods, If they return null, you're not logged in. Otherwise, you'll have the guaranteed correct login ID without fear that it was spoofed.
An IDE is no substitute for an Intelligent Developer.
Joined: Feb 07, 2011
I'm not building a security system here. I just need to know how the whole concept of session tracking works. What I gave was a simple example. I wanted to know how data from session variables can be accessed in a bean class. I know that I have to use HttpSession but I could not figure out how to use it exactly. So, I need help in that aspect.
Well, login is a bad example to use, despite the fact that far too many Java books do so anyway.
Like I said, the builtin security system has a builtin security API, so you wouldn't be getting the user ID from a session variable, you'd be getting it from a security method.
On a broader basis, however, the only difference between HTTPSession objects and JSF session objects is that JSF has automatically constructed and initialized (via property setters) the session object automatically, whereas in a servlet or JSP, you'd have to do the job manually.
A JSF session bean can be injected into another JSF bean of equal or higher scope (session or application) using the JSF Managed Property option - either coded as part of the target bean definition in faces-config.xml or via annotations (JSF2 and later).
A non-JSF session bean has to be found the hard way by getting the HttpServletRequest object from the FacesContext and applying the getSession().getAttribute() method chain. I keep a separate JSF utility class that I can employ for that kind of stuff. It helps keep JSF-specific code out of my backing beans and makes it easier to unit-test components offline.