Best way to handle logins using JSF + EJBs
smokingapipe Jul 3, 2006 5:03 AMI thought this would be a FAQ, but I can't find a good answer here.
In the Servlet / JSP system, when I would implement an application, I would do it like this:
I create a User object, that holds things like the user's password, email address, and various data the user can change, like his shoe size or favorite color.
I create a login Servlet, which takes parameters (username and password). It looks in the DB for a user that corresponds to the username and password. If it finds such a user, it uses the data from the DB to create a new User object. It puts the User object into the HttpSession. It then sends a redirect to /members/index.html.
I create a filter, and map it to /members/*. This filter is the authorization filter, and all it does is check the HttpSession to make sure there is a User object in there. If not, it sends a redirect out to a login page.
Of course there is also a Signup servlet which creates new Users and stores them in the DB, there's a Logout servlet which removes a User from the HttpSession, and that's the framework for every application I write.
Now I want to move entirely to the JSF + EJB + JBoss world. What do I do?
I have a User EJB. That's fine and that works well. I have a signup form in JSF with a backing bean. That works well, and it does all the necessary validation, then it creates a new User EJB and persists it, etc. That's good.
But what do I do about the login and auth. filter?
I can easily set up a JSF backing bean that checks a username / password by doing an EJB query to see if there's a user that matches. Ok, that's no problem. But now that I have this user within my backing bean, how do I put that user into an HttpSession? And once that is there, do I just use a Filter just like before?
And finally: How do I handle persistence transactions within this application? In a typical case, a user is logged in, and decides to change his favorite color from "blue" to "azure". There's a form, and a backing bean to handle that. The backing bean would (presumably) get the User object out of the HttpSession, and then do user.setFavoriteColor("azure"). What do I need to do on the EJB side to make sure that that change persists?
Thanks for any hints on this. I'm trying to figure it out and it's new to me.