I am using jsf 2.0 on websphere application server 8.
I have a request filter which authorizes an user. The user authenticates himself against an WebSEAL. The userrole is saved in a MySQL DB. My Requestfilter gets the user principal from the httpServletRequest on each request. Then I look which role the user has (in the DB).
That is very poor, because I have a DB query on each request.
To improve that, I want to implement a SessionBean which contains the username and role. My problem is, that I cant get the sessionbean from my requestfilter. I've tryed to use the sessionbean as managesproperty in the filterclass.
But I always get a Nullpointerexception because the sessionbean is never called before.
So how can I do this? Is this a wrong way?
JSF stores @SessionScoped @ManagedBeans as an attribute of the HttpSession. So, inside the Filter they are available as follows:
HttpSession session = ((HttpServletRequest) request).getSession();
SessionBean sessionBean = (SessionBean) session.getAttribute("sessionBean");
You however need to take into account that this approach won't auto-create the bean when it doesn't exist in the scope yet. This will be the case when the filter is invoked for the first time on a fresh new HTTP session. The Filtler is namely invoked before the FacesServlet. You'd then need to create the session bean yourself.
HttpSession session = ((HttpServletRequest) request).getSession();
SessionBean sessionBean = (SessionBean) session.getAttribute("sessionBean");
if (sessionBean == null) {
sessionBean = new SessionBean();
session.setAttribute("sessionBean", sessionBean);
}
// ...
sessionBean.setRole(role);
// ...
JSF won't override it with a new instance whenever it already exist in the session scope, but just reuse the very same instance as created in the Filter.
In case you're already using CDI @Named to manage beans instead of the in JSF 2.3 deprecated and Faces 4.0 removed @ManagedBean, then simply @Inject it in the Filter.