2

What happens when you login?

The login page is defined using pure XHTML with JSF controls. The form uses JSF EL value binding and method binding expressions to refer to Seam components. For example, #{identity.username} refers to a property of the Identity component and #{identity.login} refers to a method of the Identity component.

<div> <h:outputLabel for="username">Login Name</h:outputLabel> <h:inputText id="username" value="#{identity.username}" /> </div> <div> <h:outputLabel for="password">Password</h:outputLabel> <h:inputSecret id="password" value="#{identity.password}" /> </div> ... ... <div class="buttonBox"> <h:commandButton action="#{identity.login}" value="Account Login" class="button" /> </div>

After logging in, the User enity bean is mapped to the Seam context variable named user bean via the @Name annotation. User is a session scoped bean, meaning that the user component value is retained for the entire session for each user. You might also notice there are validation annotation on the data properties. We will discuss those annotations in the next step.

@Entity @Name("user") @Scope(SESSION) public class User implements Serializable { private String username; private String password; private String name; @NotNull @Length(min=5, max=15) public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } @Id @Length(min=5, max=15) public String getUsername () { return username; } public void setUsername (String username) { this.username = username; } // ... ... }

Seam comes with its own Security framework, based on JAAS. It allows you to perform user authentication by configuring your own authentication method in components.xml.

<security:identity authenticate-method="#{authenticator.authenticate}"/>

AuthenticatorAction is an EJB 3.0 session bean mapped to the Seam context variable named authenticator. When the login button is clicked, the JSF method binding #{identity.login} is evaluated, and based upon the previous configuration, the authenticate() method is invoked upon AuthenticatorAction.

@Stateful @Scope(EVENT) @Name("authenticator") public class AuthenticatorAction implements Authenticator { @In Identity identity; @PersistenceContext EntityManager em; @Out(required=false, scope = SESSION) private User user; public boolean authenticate() { List results = em.createQuery( "select u from User u where u.username=:username " + "and u.password=:password") .setParameter("username", identity.getUsername()) .setParameter("password", identity.getPassword()) .getResultList(); if ( results.size()==0 ) { return false; } else { user = (User) results.get(0); return true; } } @Remove @Destroy public void destroy() {} }

The @In annotation tells Seam to inject an Identity (a built-in Seam component that provides security functionality) when any method of AuthenticatorAction is invoked. The @Out annotation indicates the AuthenticatorAction bean can change the value of the user context variable and make the new instance available to other session beans and JSF pages.