We use a session-scoped bean that has a flag indicating whether the user is logged in. The login process flips the flag. Then we have a phase listener that checks this bean to make sure it is defined in the session with the flag set. If not, control is redirected to the login page.
The logout logic we use is taken from the O'Reilly book; we do an outputLink to a regular (non-JSF) JSP, which invalidates the session and forwards to a JSF JSP. - Brendan -----Original Message----- From: Eurig Jones [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 04, 2005 11:49 AM To: [email protected] Subject: Login system security I'm trying to decide on a Login/Logout system to protect my files using JSF.. I've played about with extending NavigationHandler, but the problem is, it doesn't protect the files which aren't JSF, and you can still run the JSP files if you wanted to... How have you people gone about a database driven login/logout system using Faces?
