Tim Holloway wrote:Just a bit of nit-picking. You do not write Controllers in JSF. The primary Controller in JSF is the FacesServlet and the sub-controllers are pre-supplied in the JSF tag implementations. You only code View Templates and Models. Action methods and such within Models are not Controller code (they don't do the Controller's function of transferring values between Model and View), but are instead additional code outside of the MVC domain.
Also, it's bad practice to use underscores in Java names, even though it's legal. The general convention - for better or worse - is camelCase, and some tools may malfunction if they have to deal with unconventional names.
JSF entities are exactly the same thing as J2EE entities, except that JSF automatically constructs them if they don't exist when needed. So you can inject a servlet-created Session object into a Managed Bean, no problem, and no need to rummage around in JSF internal data structures to locate it.
Other than that, my technical term for user-designed login systems is "hacked", based on experience with many, many systems over the years. Most user-designed security is, in fact, so flimsy that an unskilled person can often bypass them in under 15 minutes. J2EE comes with a professionally-designed security subsystem and associated APIs that can repel a lot of attacks before they can even get near the webapp itself. It has been around for probably over 15 years and thus is well-proven. I recommend using it.