Home/ Questions/Q 7412881
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T06:36:35+00:00

I am creating a Java EE web service application. I am not sure on

  • 0

I am creating a Java EE web service application. I am not sure on how to implement login:

Is it better for login to be implemented in a JAVA EE web service application by storing the UserPrincipal in the SessionContext and retrieving it every time a method is called programmatically to use

e.g say customer A buys a product, is it good programming practice to store the UserPrincipal in SessionContext, and retrieve the userid from it to use in the transaction,

or,

is it better to pass a token every time for each transaction and store all users logged in and the tokens issued in a table, so that when the purchase is done, the token can be used to retrieve the user id?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The most common way is to login once, authenticating user info (uname, password)with db,
    then saving in a session the users data or the user role (for example, with session scoped bean).

    That way the user data\ user role is persisted and is accessible when you need it (server side or client side) 

    public class UserSession implements Serializable {

    // login-related fields
    protected String  userName;
    protected String  userPassword;
    protected Object  requestInfo;


    //session related info
    private Object sessionInfo ;
    private boolean loggedIn;
    /** This method tries to login the user 
    */
    private login (userName,password){
    loggedIn = callDbAndAuthenticateUser(userName,password)
    }

    Define that bean scope to session, and update it on the session

    In another bean or directly from the jsf page check the getter isLoggedIn to know if the user is logged.

    Edit

    You use ejb\rmi when you access the database.Those issues are not necessarily the same\related,

    you can pass the credentials to the method you invoke remotely, or you can handle authorization at your local server and let your local authentication mechanism invoke the remote method.

    • 0