How to restrict access to JSF pages that are not login

I have implemented a simple login on a JSF. I am suppose to see a restricted pages after I login. However, I can also access the restricted page without going through the login process. How do I lock direct access to these restricted pages so that they can only be reached after a login process.
 I need to implement this in JSF for my school project.

What are my options to implemnt this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you are not using the login controls available from your servlet engine (e.g., Tomcat has security contraints which can be built in) then you have to implement the login security yourself.

You can check in the page whether the user has logged in, and if they have not, redirect them to the login page.
dovobAuthor Commented:
How can I check if the user is login in JSF?
In your simple login in JSF, write a value to the user session which indicates that your user is logged in.  Then check that value on every page which you are protecting with login.  For example:

After successful login:

session.setAttribute("loggedIn", "true");

Check on protected pages:

String checkLogin = (String) session.getAttribute("loggedIn");
if( "true".equalsIgnoreCase(checkLogin) ) {
  // okay
else {

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

dovobAuthor Commented:
Thanks for your patience. I have some knowledge on servlet and JSP but I am pretty new to the concept of JSF.

I would like to find out if there is a more sophisticated way of defining this in JSF without implementing the whole chunk of code on this page?

Is there anything I can include in face-config.xml?
dovobAuthor Commented:
I have tried them but none of them have the function of restricting access to restricted pages and logging out.

This example:

specifically restricts access to index.jsp with the login.  What didn't work for you?
dovobAuthor Commented:
I would like to restrict access to the successful.jsp in the example from

User who are not login cannot access the successful.jsp page directly from the url
instead they have to go through the normal login process from
in order to reach the successful page.
How do I implement such a restriction of the successfl.jsp page. That's my question.
What does your web.xml look like?  Did you follow the directions at the bottom of the page, which explains what to change?
The answers were correct, so I think points should be awarded.
Okay.   I was the only one who answered, and my answers were correct.  They would also be useful to others using JSF (as beginners, as in this case).  So any of my answers, from the first through the 4th above, could be marked as the accepted answer.  

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java EE

From novice to tech pro — start learning today.