How user session is managed in JSF and WAS

Question

I'm developing a JSF v1.2 web application which will run on Websphere Application server 8.0. We have an external security manager (SiteMinder) to provide the authentication and authorization.

As per my understanding, JSF stores the current view information in session. I've some questions regarding how session is managed in JSF and WAS.

1. Does JSF store the view state in session for both anonymous and logged in user if the state saving is set as serverside?
2. How does JSF know that the user is a logged in user or not? Do we have to tell JSF about this?
3. Is it possible to have a Trusted Authentication Inceptor (TAI) which tell WAS that the current user is a valid user?

I found a similar post here Check if session exists JSF

I'm not sure how WAS know that the user is logged in or not. In the code, there is userManager.isLoggedIn(). How does this work unless WAS is aware that user is valid?

Could you please provide your help?

Answer 1

Does JSF store the view state in session for both anonymous and logged in user if the state saving is set as serverside?

Of course. The session is not tied to the logged-in user. Instead, it's usually the other way round: the logged-in user is stored in the session.

---

How does JSF know that the user is a logged in user or not? Do we have to tell JSF about this?

It just uses the underlying HttpSession object for that, which the servletcontainer has already created and prepared for long. See also How do servlets work? Instantiation, sessions, shared variables and multithreading for in depth background explanation of the internal workings.

---

Is it possible to have a Trusted Authentication Inceptor (TAI) which tell WAS that the current user is a valid user?

This is not your concern at this point.