9

I have implemented a login form using JSF and PrimeFaces. I used this example in the PrimeFaces showcase website.

I have a Facelets page to show a dataTable. Now I need to integrate the above login form with this table page. So I added few lines in to LoginBean.java to handle session attribute.

     if (username.equals(getUsername_db()) && password.equals(getPassword_db())) {//valid user and paward
        loggedIn = true;
        msg = new FacesMessage(FacesMessage.SEVERITY_INFO, "Welcome", getUsername_db());
        //new lines
        FacesContext context2 = FacesContext.getCurrentInstance();
        HttpSession session = (HttpSession) context2.getExternalContext().getSession(true);
        session.setAttribute("user", username);
        //end of new lines
        ...

I need to hide a column from the dataTable, if the user is not logged in. Now my problem is, how can I access session attribute inside my Facelets page?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Tharaka Deshan
  • 1,349
  • 3
  • 15
  • 30

1 Answers1

21

You've stored the logged-in user as a session attribute with the name "user".

So it's in EL available as follows:

#{user}

You can just use the empty keyword in EL to check if it's present or not (i.e. if it's logged-in or not) and you can use JSF component's rendered attribute to instruct whether to generate HTML output or not.

<h:panelGroup rendered="#{not empty user}">
    <p>Welcome #{user}, you have been logged in!</p>
</h:panelGroup>

In your specific case of hiding a table column, just use it as follows:

<p:column rendered="#{not empty user}">
    ...
</p:column>

A nicer way to store a session attribute is using ExternalContext#getSessionMap(). This way your code is free of smelly javax.servlet.* imports.

FacesContext.getCurrentInstance().getExternalContext().getSessionMap().put("user", username);

Unrelated to the concrete problem, why the following check?

if (username.equals(getUsername_db()) && password.equals(getPassword_db())) {

Why don't you just do a SELECT ... FROM user WHERE username=? AND password=? in SQL? Or don't you trust the DB that it returns the right row?

Sean Sheehy
  • 89
  • 1
  • 13
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thanks BalusC. But I got the user as an object in the view. something like this showed "User@1a8b71e". Anyway I got part from your answer to solve my problem. I removed the session setting part and set LoginBean class as SessionScoped. And I was able to get values directly inside my panelGroup tag.Thanks again for the SQL advice. I changed it using prepared statements. – Tharaka Deshan Oct 24 '12 at 12:50
  • Apparently `username` as shown in your code is not a `String` at all. Perhaps you oversimplified the code in the question? By the way the SQL comment wasn't meant to hint about prepared statements. You're comparing the username and password **twice** (once in DB and another afterwards in Java). This makes no sense. Just check if DB returned one record or not, that's all. You don't need to compare the username/password once again which you already asked the DB to check and return. – BalusC Oct 24 '12 at 12:51
  • Got it! but in my last sql query I just used only username with the Where clause. like : String query = "SELECT username,password FROM user WHERE username = '" + uname + "'; "; So I could just remove username.equals(getUsername_db() part. I need only to check password in this case... thanks for you suggestion. – Tharaka Deshan Oct 24 '12 at 13:22
  • 2
    This makes also no sense. Just add password to the WHERE. SQL queries should *always* be written that way that it returns **exactly** the data you want, without any necessary additional checks afterwards. By the way, with string-concatenating user-controlled input in SQL string like that you're opening a huge SQL injection attack hole. Use prepared statements. – BalusC Oct 24 '12 at 13:24