How could I read a JSF session bean from a filter?

Question

I'm searching but I can't find the answer, I need secure resources based on permissions, I can't use a filter because FacesContext is not initialized before and I need load the permissions in my session bean. Some solution avoiding use a filter? PhaseListener, ViewHandler and ResourceHandler can't capture an URL resource request, for example I need denied this direct access: http://127.0.0.1:8080/test/resources/images/image.jpg

Thx in advance...

Answer 1

JSF stores session scoped managed beans as an attribute of the HttpSession , which in turn is just available in a Filter by HttpServletRequest#getSession() .

HttpSession session = ((HttpServletRequest) request).getSession();
SessionBean sessionBean = session.getAttribute("sessionBean");
// ...

---

Update : as per the comment you seem to be actually using CDI:

my filter is triggered before than JSF, I always get a null value when I use getAttribute. I'm using CDI with 'Named' and 'SessionScoped' annotations on my Bean because I need use a interceptor to implement security

I understood that you were using JSF's own @ManagedBean and the initial answer only applies to that. If your bean is already managed by CDI's @Named , then just use CDI's own @Inject the usual way in the Filter .

@Inject
private SessionBean sessionBean;

In case of JSF @ManagedBean you should just add a if (sessionBean != null) check. It's irrelevant whether the filter is invoked before JSF servlet or not. Once the session bean has been created by JSF, it won't be null in the filter.