I started a test application with jsf and hibernate to learn how they work.
I want to make a simple login page, i already have the data(user and pass) in a mysql db. All i need now is to validate the data inputed in the browser with the data on the db.
I know how to insert data in the db trough the browser... is there a similar way to extract and validate data or do i need a framework (maven,struts...) to achieve data validation?
I don't quite get what you're asking here, but you can do data validation without additional framework as you mentioned. You can do the validation in the database level (using a query), or in your java code (do a comparison) after you get the data from database and login page.
First, a caution. User-designed security systems are almost universally very insecure. Use a "login page" for learning, but if you want to keep intruders from eating your system, never write your own login/security code for actual Internet applications. Use a professionally-designed and tested security infrastructure such as the J2EE standard container security system.
You have confused validating data with validating credentials here. JSF itself contains many options for validating form data. Hibernate likewise has the ability to validate data before persisting it. In fact, the two validation systems can even be linked together so that Hibernate's validation can feed JSF's form validation.
But it sounds like what you really want to validate isn't the data, it's the credentials. That is, to verify that the login form (see warning above) has been supplied with a valid user ID/password combination.
When you click a JSF form submit button (commandLink), the action method that you define for the commandLink will be invoked, providing that ALL items on the form being submitted pass JSF validation. JSF validation is automatic and requires no user-written code, just specifications of constraints on the form View Template. Stuff like "required="true"" on inputText controls and any "f:validateXXXX" tags that you supply.
If and only if all input controls on the form are found valid by JSF, JSF will update the backing beans with the form values as directed by the "value=" attributes on the input form controls. Then the action method is invoked, and the action method can obtain the user id and password from their corresponding backing bean properties.
In security, the #1 rule is "volunteer NOTHING". Just ask the NSA. So for a user authentication, you don't fetch the user ID and password from the database, you ask the database whether there's a match on the submitted user ID/password.
In SQL terms:
If the returned count is "1", the credentials are valid. If the returned count is 0, the credential are not valid. Any other numbers would indicate that your database design is probably flawed.
Sources may include data from the Fakebook Research Foundation with support from Gargle University