您可以在JSF中通过

You can in JSF get/set HTTP session attributes via ExternalContext#getSessionMap() which is basically a wrapper around HttpSession#get/setAttribute().

@Named
@RequestScoped
public class LoginController {

    private String username;
    private String password;

    @EJB
    private UserService userService;

    public String login() {
        User user = userService.find(username, password);
        FacesContext context = FacesContext.getCurrentInstance();

        if (user == null) {
            context.addMessage(null, new FacesMessage("Unknown login, try again"));
            username = null;
            password = null;
            return null;
        } else {
            context.getExternalContext().getSessionMap().put("user", user);
            return "userhome?faces-redirect=true";
        }
    }

    public String logout() {
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        return "index?faces-redirect=true";
    }

    // ...
}

在Facelets页面中，只需将username和password输入字段绑定到此bean并相应地调用login()操作.

In the Facelets page, just bind the username and password input fields to this bean and invoke login() action accordingly.

<h:form>
    <h:inputText value="#{loginController.username}" />
    <h:inputSecret value="#{loginController.password}" />
    <h:commandButton value="login" action="#{loginController.login}" />
</h:form>

会话属性可以在EL中直接访问.名称为user的会话属性在EL中以#{user}的形式提供.测试用户是否已登录某些rendered属性时，只需检查其是否为empty.

Session attributes are directly accessible in EL. A session attribute with name user is in EL available as #{user}. When testing if the user is logged in some rendered attribute, just check if it's empty or not.

<h:panelGroup rendered="#{not empty user}">
    <p>Welcome, #{user.fullName}</p>
    <h:form>
        <h:commandButton value="logout" action="#{loginController.logout}" />
    </h:form>
</h:panelGroup>

注销操作基本上只是在破坏会话.

The logout action basically just trashes the session.

关于检查传入的请求(无论用户是否登录)，只需创建 Filter ，它在

As to checking an incoming request if an user is logged in or not, just create a Filter which does roughly the following in doFilter() method:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {    
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);
    String loginURI = request.getContextPath() + "/login.xhtml";

    boolean loggedIn = session != null && session.getAttribute("user") != null;
    boolean loginRequest = request.getRequestURI().equals(loginURI);
    boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER);

    if (loggedIn || loginRequest || resourceRequest) {
        chain.doFilter(request, response);
    } else {
        response.sendRedirect(loginURI);
    }
}

将其映射到覆盖受限页面的url-pattern上，例如/secured/*，/app/*等

Map it on an url-pattern covering the restricted pages, e.g. /secured/*, /app/*, etc.

• 如何在数据库?
• 授权重定向会话过期时无法提交JSF表单，页面保持不变

• How to handle authentication/authorization with users in a database?
• Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same