Tutorial

JSF Authentication Login Logout Database Example

Published on August 3, 2022
JSF Authentication Login Logout Database Example

Authentication mechanism allows users to have secure access to the application by validating the username and password. We will be using JSF view for login, DAO object ,HttpSession for session management, JSF managed bean and mysql database. Lets now look in detail as how to create a JSF login logout authentication mechanism in JSF application. Step 1: Create the table Users in mysql database as

CREATE TABLE Users( 
uid int(20) NOT NULL AUTO_INCREMENT, 
uname VARCHAR(60) NOT NULL, 
password VARCHAR(60) NOT NULL, 
PRIMARY KEY(uid));

Here we create user table with uid as the primary key, username and password fields with not null constraints. Step 2: Insert data into the table Users as;

INSERT INTO Users VALUES(1,'adam','adam');

Before we move on to our project related code, below image shows the project structure in Eclipse. Just create a dynamic web project and convert it to maven to get the project stub and then keep on adding different components. JSF Login, JSF Authentication, JSF Login Logout, JSF Session Step 3: Create the JSF login page login.xhtml as;

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml"
	xmlns:h="https://java.sun.com/jsf/html">
<h:head>
	<title>login</title>
</h:head>
<h:body>
	<h:form>
		<h3>JSF Login Logout</h3>
		<h:outputText value="Username" />
		<h:inputText id="username" value="#{login.user}"></h:inputText>
		<h:message for="username"></h:message>
		<br></br><br></br>
		
		<h:outputText value="Password" />
		<h:inputSecret id="password" value="#{login.pwd}"></h:inputSecret>
		<h:message for="password"></h:message>
		<br></br><br></br>
		
		<h:commandButton action="#{login.validateUsernamePassword}"
			value="Login"></h:commandButton>
	</h:form>
</h:body>
</html>

Here we are creating a JSF login view page with username and password fields and set values for these fields through the login managed bean. We invoke the validateUsernamePassword method on click of Login button to validate the username and password. Step 4: Create the managed bean Login.java as;

package com.journaldev.jsf.beans;

import java.io.Serializable;

import javax.faces.application.FacesMessage;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import javax.faces.context.FacesContext;
import javax.servlet.http.HttpSession;

import com.journaldev.jsf.dao.LoginDAO;
import com.journaldev.jsf.util.SessionUtils;

@ManagedBean
@SessionScoped
public class Login implements Serializable {

	private static final long serialVersionUID = 1094801825228386363L;
	
	private String pwd;
	private String msg;
	private String user;

	public String getPwd() {
		return pwd;
	}

	public void setPwd(String pwd) {
		this.pwd = pwd;
	}

	public String getMsg() {
		return msg;
	}

	public void setMsg(String msg) {
		this.msg = msg;
	}

	public String getUser() {
		return user;
	}

	public void setUser(String user) {
		this.user = user;
	}

	//validate login
	public String validateUsernamePassword() {
		boolean valid = LoginDAO.validate(user, pwd);
		if (valid) {
			HttpSession session = SessionUtils.getSession();
			session.setAttribute("username", user);
			return "admin";
		} else {
			FacesContext.getCurrentInstance().addMessage(
					null,
					new FacesMessage(FacesMessage.SEVERITY_WARN,
							"Incorrect Username and Passowrd",
							"Please enter correct username and Password"));
			return "login";
		}
	}

	//logout event, invalidate session
	public String logout() {
		HttpSession session = SessionUtils.getSession();
		session.invalidate();
		return "login";
	}
}

We declare three String variables user, pwd and msg for username, password and error message fields along with the getter and setter methods. We write a method validateUsernamePassword() for validating the username and password field by invoking the LoginDAO class to fetch the username and password from the database and compare it with the front end values passed. If the username and password does not match an error message is displayed as “Incorrect username and password” . Also a logout() method is written to perform logout by invalidating HTTPSession attached. Step 5: Now create the LoginDAO java class as below. Note that database operations code is not optimized to be used in a real project, I wrote it as quickly as possible because the idea is to learn authentication in JSF applications.

package com.journaldev.jsf.dao;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

import com.journaldev.jsf.util.DataConnect;

public class LoginDAO {

	public static boolean validate(String user, String password) {
		Connection con = null;
		PreparedStatement ps = null;

		try {
			con = DataConnect.getConnection();
			ps = con.prepareStatement("Select uname, password from Users where uname = ? and password = ?");
			ps.setString(1, user);
			ps.setString(2, password);

			ResultSet rs = ps.executeQuery();

			if (rs.next()) {
				//result found, means valid inputs
				return true;
			}
		} catch (SQLException ex) {
			System.out.println("Login error -->" + ex.getMessage());
			return false;
		} finally {
			DataConnect.close(con);
		}
		return false;
	}
}

In the validate() method we first establish connection to the database by invoking the DataConnect class getConnection method. We use PreparedStatement to build the query to fetch the data from the database with the user entered values. If we get any data in result set, it means input is valid and we return true, else false. Step 6: Create the DataConnect.java class as;

package com.journaldev.jsf.util;

import java.sql.Connection;
import java.sql.DriverManager;

public class DataConnect {

	public static Connection getConnection() {
		try {
			Class.forName("com.mysql.jdbc.Driver");
			Connection con = DriverManager.getConnection(
					"jdbc:mysql://localhost:3306/cardb", "pankaj", "pankaj123");
			return con;
		} catch (Exception ex) {
			System.out.println("Database.getConnection() Error -->"
					+ ex.getMessage());
			return null;
		}
	}

	public static void close(Connection con) {
		try {
			con.close();
		} catch (Exception ex) {
		}
	}
}

We load the JDBC driver using Class.forName method and use DriverManager.getConnection method passing the url, username and password to connect to the database. Step 7: Create SessionUtils.java to obtain and manage session related user information.

package com.journaldev.jsf.beans;

import javax.faces.context.FacesContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

public class SessionUtils {

	public static HttpSession getSession() {
		return (HttpSession) FacesContext.getCurrentInstance()
				.getExternalContext().getSession(false);
	}

	public static HttpServletRequest getRequest() {
		return (HttpServletRequest) FacesContext.getCurrentInstance()
				.getExternalContext().getRequest();
	}

	public static String getUserName() {
		HttpSession session = (HttpSession) FacesContext.getCurrentInstance()
				.getExternalContext().getSession(false);
		return session.getAttribute("username").toString();
	}

	public static String getUserId() {
		HttpSession session = getSession();
		if (session != null)
			return (String) session.getAttribute("userid");
		else
			return null;
	}
}

Here we obtain a session for each user logged through the getUserId method thereby associating a session id to a particular user id. Step 8: Create the authorization filter class as;

package com.journaldev.jsf.filter;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

@WebFilter(filterName = "AuthFilter", urlPatterns = { "*.xhtml" })
public class AuthorizationFilter implements Filter {

	public AuthorizationFilter() {
	}

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {

	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		try {

			HttpServletRequest reqt = (HttpServletRequest) request;
			HttpServletResponse resp = (HttpServletResponse) response;
			HttpSession ses = reqt.getSession(false);

			String reqURI = reqt.getRequestURI();
			if (reqURI.indexOf("/login.xhtml") >= 0
					|| (ses != null && ses.getAttribute("username") != null)
					|| reqURI.indexOf("/public/") >= 0
					|| reqURI.contains("javax.faces.resource"))
				chain.doFilter(request, response);
			else
				resp.sendRedirect(reqt.getContextPath() + "/faces/login.xhtml");
		} catch (Exception e) {
			System.out.println(e.getMessage());
		}
	}

	@Override
	public void destroy() {

	}
}

We implement the standard filter class by overriding the destroy and doFilter methods. In the doFilter method we will redirect user to login page if he tries to access other page without logging in. Step 9: Create admin.xhtml as;

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml"
	xmlns:h="https://java.sun.com/jsf/html">
<h:head>
	<title>Facelet Title</title>
</h:head>
<h:body>
	<h:form>
		<p>Welcome #{login.user}</p>
		<h:commandLink action="#{login.logout}" value="Logout"></h:commandLink>
	</h:form>
</h:body>
</html>

This page is rendered when the user logs in successfully. Logout functionality is implemented by calling the logout method of the Login.java class. Step 10: Create faces-config.xml file as;

<?xml version='1.0' encoding='UTF-8'?>
<faces-config version="2.2" xmlns="https://xmlns.jcp.org/xml/ns/javaee"
	xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="https://xmlns.jcp.org/xml/ns/javaee 
	https://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_2.xsd">

	<navigation-rule>
		<from-view-id>/login.xhtml</from-view-id>
		<navigation-case>
			<from-outcome>admin</from-outcome>
			<to-view-id>/admin.xhtml</to-view-id>
		</navigation-case>
	</navigation-rule>

</faces-config>

Once done with all the steps specified above run the application and see the following output in the browser. Login Page JSF Login Authentication Error Page JSF Authentication Login Success Page JSF Authentication, JSF Logout Accessing admin.xhtml while logged in JSF Authentication, JSF Session Just click on the Logout link and the session will be invalidated, after that try to access admin.xhtml page and you will be redirected to the login page, go ahead and download the project from below link and try it out.

Download JSF Authentication Login Logout Project

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the author(s)

Pankaj Kumar
Pankaj Kumar
See author profile
Category:
Tutorial

While we believe that this content benefits our community, we have not yet thoroughly reviewed it. If you have any suggestions for improvements, please let us know by clicking the “report an issue“ button at the bottom of the tutorial.

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
JournalDev
DigitalOcean Employee
DigitalOcean Employee badge
May 10, 2015

Can I use this to show parts of a web site? Content logged users is secure? or render param can be inyectable

- Ivan

    JournalDev
    DigitalOcean Employee
    DigitalOcean Employee badge
    May 10, 2015

    Can I use this to show parts of a web site? Content logged users is secure? or rendered param can be inyectable

    - Ivan

      JournalDev
      DigitalOcean Employee
      DigitalOcean Employee badge
      May 12, 2015

      nice tutorial, however you forgot to specify mappings on web.xml file i.e. AuthorizationFilter *.AuthirizationFilter AuthorizationFilter /secured/*

      - akasozi

      JournalDev
      DigitalOcean Employee
      DigitalOcean Employee badge
      September 1, 2015

      Can you please provide a complete web.xml example showing the filter mappings? Thanks!

      - LogicalDave

        JournalDev
        DigitalOcean Employee
        DigitalOcean Employee badge
        May 26, 2015

        Thank’s for this example, I’ve an error in SessionBean, i’m using JSF 2.1, how to import it ?

        - Faycal

          JournalDev
          DigitalOcean Employee
          DigitalOcean Employee badge
          June 17, 2015

          Thanks, really helped!

          - Maor

            JournalDev
            DigitalOcean Employee
            DigitalOcean Employee badge
            July 2, 2015

            is it specified which version of JSF is used here ? and what is its jar ?

            - Name

              JournalDev
              DigitalOcean Employee
              DigitalOcean Employee badge
              July 23, 2015

              Thanks for your tutorial, it was very helpful. is there any way we can use entity class that connect to database? trying not to code the sql statement. Thanks so much

              - jacklyn onye

                JournalDev
                DigitalOcean Employee
                DigitalOcean Employee badge
                August 14, 2015

                Excellent but I have a question… what happend with AuthorizationFilter

                - Boris

                  JournalDev
                  DigitalOcean Employee
                  DigitalOcean Employee badge
                  September 10, 2015

                  Rename the class “SessionBean” in the example immediately. It’s not a bean so the name is confusing.

                  - Philip Grove

                  JournalDev
                  DigitalOcean Employee
                  DigitalOcean Employee badge
                  May 10, 2016

                  YES. because the clase is named “SessionBean” i have lost time truing to understand what it means.

                  - daniel

                    JournalDev
                    DigitalOcean Employee
                    DigitalOcean Employee badge
                    September 10, 2015

                    Never ever catch “Exception” in production code, it has loads on unforeseen consequences. I had hoped that it was not done here to promote proper exception handling. Catching “Exception” is sometimes done in the test phase before proper exception handling is done, because proper exception handling on something that might not even work is a waste of time.

                    - Philip Grove

                      JournalDev
                      DigitalOcean Employee
                      DigitalOcean Employee badge
                      September 11, 2015

                      Upon further investigation of the example it appear to contain code that is never used and code that suggest it has been directly copied from another source. Reveal this source immediately and stop taking credit for the work of others.

                      - Philip Grove

                      JournalDev
                      DigitalOcean Employee
                      DigitalOcean Employee badge
                      September 12, 2015

                      its not copied from any where, can you explain which part of code is not used. Also it’s just for understanding the concept of authentication in JSF, if I will provide production level coding here, the length of post will be 3 times and it will loose the purpose of article.

                      - Pankaj

                        JournalDev
                        DigitalOcean Employee
                        DigitalOcean Employee badge
                        September 22, 2015

                        Hello Pankaj I was reading your tutorial and it really gave me some insights,I tried it myself but it does not work.It does not check username and password against the database but passes the values

                        - Ainsley

                          JournalDev
                          DigitalOcean Employee
                          DigitalOcean Employee badge
                          October 3, 2015

                          Hi you. Thank you so much. But i have any question. In the file faces-config.xml, why not add a code: controller.SercurityFilter And. I can implements PhaseListener instead of implements Filter in the file AuthorizationFilter. Thank you.

                          - Thien

                          JournalDev
                          DigitalOcean Employee
                          DigitalOcean Employee badge
                          October 3, 2015

                          controller.SercurityFilter

                          - Thien

                            JournalDev
                            DigitalOcean Employee
                            DigitalOcean Employee badge
                            October 10, 2015

                            very good example. why after logout if you press back button in browser in not invalidated showing the admin page with the name of the logged user? thank you for a reply.

                            - alfredo fernandes

                            JournalDev
                            DigitalOcean Employee
                            DigitalOcean Employee badge
                            April 18, 2016

                            I think this is a good question. We sould look for that.

                            - BurakErk

                            JournalDev
                            DigitalOcean Employee
                            DigitalOcean Employee badge
                            April 18, 2016

                            public String logout() { HttpSession session = SessionBean.getSession(); user = “”; pwd = “”; session.invalidate(); return “login”; } This sould work.

                            - BurakErk

                              JournalDev
                              DigitalOcean Employee
                              DigitalOcean Employee badge
                              October 28, 2015

                              let’s say in the Users table is a field department , how to map this field to the JSF page?

                              - Askat

                                JournalDev
                                DigitalOcean Employee
                                DigitalOcean Employee badge
                                December 4, 2015

                                The class name “LoginDAO” is misleading as this it not a DAO object at all, it’s just a simple class which contain one (static) method.

                                - Krzysiek

                                  JournalDev
                                  DigitalOcean Employee
                                  DigitalOcean Employee badge
                                  December 15, 2015

                                  Really good my friend. Great example

                                  - Alessandro Mattiuzzi

                                    JournalDev
                                    DigitalOcean Employee
                                    DigitalOcean Employee badge
                                    January 11, 2016

                                    Thanks a lot, so helpful what is JSF managed bean behavior with static method? Is it safe with multiple online user? (conflict sessions or not !!)

                                    - Gholamali Irani

                                      JournalDev
                                      DigitalOcean Employee
                                      DigitalOcean Employee badge
                                      February 10, 2016

                                      Without any entries to web.xml the AuthorizationFilter is never used. Minimum is to include it in web.xml in follwing manner (replace xxxx with your package name): AuthorizationFilter xxxx.filter.AuthorizationFilter This Filter authorizes user access to application. error_page /error/error.xhtml

                                      - Martin Zwernemann

                                      JournalDev
                                      DigitalOcean Employee
                                      DigitalOcean Employee badge
                                      February 10, 2016

                                      Sorry, the xml was eaten by your server. I replaced the XML-marks with asterisks: *filter* *filter-name*AuthorizationFilter*/filter-name* *filter-class*xxx.filter.AuthorizationFilter*/filter-class* *description*This Filter authorizes user access to application.*/description* *init-param* *param-name*error_page*/param-name* *param-value*/ui/energy/error/error.xhtml*/param-value* */init-param* */filter*

                                      - Martin Zwernemann

                                        JournalDev
                                        DigitalOcean Employee
                                        DigitalOcean Employee badge
                                        March 1, 2016

                                        I get an error of java.lang.NullPointerException .How can I fix this ?

                                        - Mustafa Darcan

                                        JournalDev
                                        DigitalOcean Employee
                                        DigitalOcean Employee badge
                                        October 4, 2016

                                        :-) this question Sound like The Project don´t want run, how to fix it :-)

                                        - zongi

                                          JournalDev
                                          DigitalOcean Employee
                                          DigitalOcean Employee badge
                                          April 3, 2016

                                          Dear Pankaj, Thanks a lot. The code you provided helped a lot with my project. One question though, how would you exclude a page from authentication. For example, if you want the user to see the home page first, which should have a link to login page. Any suggestions would be immensely appreciated. Ravi

                                          - ravi

                                            JournalDev
                                            DigitalOcean Employee
                                            DigitalOcean Employee badge
                                            April 20, 2016

                                            An Error Occurred: java.lang.NullPointerException

                                            - Samy

                                              JournalDev
                                              DigitalOcean Employee
                                              DigitalOcean Employee badge
                                              May 4, 2016

                                              Thanks a lot… =)

                                              - Vitor Da Costa

                                                JournalDev
                                                DigitalOcean Employee
                                                DigitalOcean Employee badge
                                                May 15, 2016

                                                Perfect! That’s work fine, thank you :)

                                                - Toshyjoe

                                                  JournalDev
                                                  DigitalOcean Employee
                                                  DigitalOcean Employee badge
                                                  May 23, 2016

                                                  the app seems great though its throwing an exception “java.lang.NullPointerException” why?

                                                  - edward

                                                    JournalDev
                                                    DigitalOcean Employee
                                                    DigitalOcean Employee badge
                                                    June 8, 2016

                                                    java.lang.NullPointerException -> You have to add the mysql connector library. It was perfect! That’s work fine, thank you.

                                                    - Christian

                                                      JournalDev
                                                      DigitalOcean Employee
                                                      DigitalOcean Employee badge
                                                      June 12, 2016

                                                      On HttpSession session = SessionBean.getSession(); i’ve error: “error: cannot find symbol” Can you help me?

                                                      - Grzesiek

                                                      JournalDev
                                                      DigitalOcean Employee
                                                      DigitalOcean Employee badge
                                                      June 12, 2016

                                                      Actually I changed the class name of SpringBean to SpringUtils and forgot to update the code in Login.java class. I have updated the code in the post as well as project zip file. You can download the project now, it will work fine.

                                                      - Pankaj

                                                        JournalDev
                                                        DigitalOcean Employee
                                                        DigitalOcean Employee badge
                                                        June 24, 2016

                                                        HELO Pankaj. I am using this proekt. How can download package com.journaldev

                                                        - Tavakkaljon Dehqonov

                                                          JournalDev
                                                          DigitalOcean Employee
                                                          DigitalOcean Employee badge
                                                          August 9, 2016

                                                          I have a problem with this code, everything works great bu if I try to log in multiple users and then log out only one every users session is killed ? Quite a problem or just me ?

                                                          - Hrvoje

                                                          JournalDev
                                                          DigitalOcean Employee
                                                          DigitalOcean Employee badge
                                                          September 22, 2016

                                                          Yeah.! I have the same problem… this method kind accept only one Login at time. How to solve it?

                                                          - Fabio

                                                            JournalDev
                                                            DigitalOcean Employee
                                                            DigitalOcean Employee badge
                                                            September 30, 2016

                                                            thank u :)

                                                            - yosser

                                                              Join the Tech Talk
                                                              Success! Thank you! Please check your email for further details.

                                                              Please complete your information!

                                                              Become a contributor for community

                                                              Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

                                                              DigitalOcean Documentation

                                                              Full documentation for every DigitalOcean product.

                                                              Resources for startups and SMBs

                                                              The Wave has everything you need to know about building a business, from raising funding to marketing your product.

                                                              Get our newsletter

                                                              Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

                                                              New accounts only. By submitting your email you agree to our Privacy Policy

                                                              The developer cloud

                                                              Scale up as you grow — whether you're running one virtual machine or ten thousand.

                                                              Get started for free

                                                              Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

                                                              *This promotional offer applies to new accounts only.