1) When the user tries to login using his userid/password, these credentials are validated against my database table to make sure the user is valid.
2) When the validation passes, I retrieve some of the details about the user and display those values in the JSF page immediately after logging in.
Both these two process happen upon one single click (ie) while the user inputs his userid/password and hits submit.
What I did:
When the user hits submit upon logon, I use a query to check the values against a table in a bean called "login" (managedbean name). When the values are present in the table, I use another query to retrieve the user's other information and populate these values in the setter methods in another bean called "fields". Now, using faces redirect, I pass the name of the JSF page called "userindex.xhtml". Now, I simply try to access the getter methods of the "fields" bean to display in the userindex page.
The first two queries run successfully. The only problem seems to be that the "fields" bean object is initialized/recreated when I try to access its values from the "userindex" page. Please correct me if I am wrong.
To summarize, I used a bean "login" to verify user input values with a backend table, accessed another bean called "fields" from the login bean to set all user related information and used these "fields" values to populate in the "userindex" page.
The message editor has a "Code" button that can wrap special formatting tags around code and XML samples. That makes them easier to read. You will also get more/better help if you can reduce the amount of code you post to the essentials. We don't get paid for doing this, so when it's necessary to print out a sample and pore up and down the listing to see what's going on, chances are that few will bother.
I haven't determined what your specific problem is, but I can tell you this. If you publish that webapp out to the open Internet, chances are that it will be hacked to pieces in under 15 minutes.
I always warn people that they should use J2EE's built-in security system unless they have very specific reason not to AND are security specialists. Essentially every user-designed J2EE login/security system I've seen has been easily hackable. And I've worked with some pretty high security projects.
In your specific case, however, you have a blatant opening for a SQL injection attack. I could potentially erase your entire database from the login screen. Without ever actually logging in at all.
Customer surveys are for companies who didn't pay proper attention to begin with.