Login/Register
How can I access session attribute in Facelets page
Asked Answered
Solved javajsfsessionauthenticationfacelets
B

1

9

I have implemented a login form using JSF and PrimeFaces. I used this example in the PrimeFaces showcase website.

I have a Facelets page to show a dataTable. Now I need to integrate the above login form with this table page. So I added few lines in to LoginBean.java to handle session attribute.

     if (username.equals(getUsername_db()) && password.equals(getPassword_db())) {//valid user and paward
        loggedIn = true;
        msg = new FacesMessage(FacesMessage.SEVERITY_INFO, "Welcome", getUsername_db());
        //new lines
        FacesContext context2 = FacesContext.getCurrentInstance();
        HttpSession session = (HttpSession) context2.getExternalContext().getSession(true);
        session.setAttribute("user", username);
        //end of new lines
        ...

I need to hide a column from the dataTable, if the user is not logged in. Now my problem is, how can I access session attribute inside my Facelets page?

Byproduct answered 24/10, 2012 at 10:33 Comment(0)
G
21

You've stored the logged-in user as a session attribute with the name "user".

So it's in EL available as follows:

#{user}

You can just use the empty keyword in EL to check if it's present or not (i.e. if it's logged-in or not) and you can use JSF component's rendered attribute to instruct whether to generate HTML output or not.

<h:panelGroup rendered="#{not empty user}">
    <p>Welcome #{user}, you have been logged in!</p>
</h:panelGroup>

In your specific case of hiding a table column, just use it as follows:

<p:column rendered="#{not empty user}">
    ...
</p:column>

A nicer way to store a session attribute is using ExternalContext#getSessionMap(). This way your code is free of smelly javax.servlet.* imports.

FacesContext.getCurrentInstance().getExternalContext().getSessionMap().put("user", username);

Unrelated to the concrete problem, why the following check?

if (username.equals(getUsername_db()) && password.equals(getPassword_db())) {

Why don't you just do a SELECT ... FROM user WHERE username=? AND password=? in SQL? Or don't you trust the DB that it returns the right row?

Gardenia answered 24/10, 2012 at 10:57 Comment(4)
Thanks BalusC. But I got the user as an object in the view. something like this showed "User@1a8b71e". Anyway I got <h:panelGroup rendered="#{not empty user}"> part from your answer to solve my problem. I removed the session setting part and set LoginBean class as SessionScoped. And I was able to get values directly inside my panelGroup tag.Thanks again for the SQL advice. I changed it using prepared statements.Byproduct
Apparently username as shown in your code is not a String at all. Perhaps you oversimplified the code in the question? By the way the SQL comment wasn't meant to hint about prepared statements. You're comparing the username and password twice (once in DB and another afterwards in Java). This makes no sense. Just check if DB returned one record or not, that's all. You don't need to compare the username/password once again which you already asked the DB to check and return.Gardenia
Got it! but in my last sql query I just used only username with the Where clause. like : String query = "SELECT username,password FROM user WHERE username = '" + uname + "'; "; So I could just remove username.equals(getUsername_db() part. I need only to check password in this case... thanks for you suggestion.Byproduct
This makes also no sense. Just add password to the WHERE. SQL queries should always be written that way that it returns exactly the data you want, without any necessary additional checks afterwards. By the way, with string-concatenating user-controlled input in SQL string like that you're opening a huge SQL injection attack hole. Use prepared statements.Gardenia

© 2022 - 2024 — McMap. All rights reserved.