tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: FORM-based authentication question
Date Fri, 07 Sep 2001 16:48:19 GMT


On Fri, 7 Sep 2001, Kevin HaleBoyes wrote:

> Date: Fri, 7 Sep 2001 16:48:01 +0100 (BST)
> From: Kevin HaleBoyes <kcboyes@yahoo.com>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: FORM-based authentication question
>
> I'm successfully using FORM-based logins in my application but I have
> a few questions.  When a user logs in, I want to attach certain information
> to the session.  Currently I use a filter that checks to see if the
> request.getRemoteUser is set (or has changed) and if so, I do a database
> call to get the User information, instantiate a UserClass and set it into
> the session.  It works fine but...
>
> The filter gets called for every request but only acts when a user logs in.
> Sure the test (to see if anything needs to be done) is simple and fairly
> quick, but it is done for _every_ request.
>
> Is there a better way?
>
> I'm thinking something similar in style to the HttpSessionListener
> interface. Maybe an AuthenticationListener.  Tomcat 4 (or any Servlet
> 2.3 container :) "knows" when a user has been authenticated (or, for
> that matter, when the authentication/session times out) but I don't
> see any way to hook into that event.  The timed out session
> information can be had using the
> HttpSessionListener.sessionDestroyed() method and my application knows
> if, in the very rare case :-) that a user actually logs out.  But
> notification of an authentification seems to be missing (from the
> spec).
>
> The HttpSessionListener.sessionCreated() method doesn't do what I want since
> a session is created even when a user is not authenticated.
>
> How do others attach information to the session once a user has been
> authenticated?
>

You can use HttpSessionListener to detect when the session is created or
destroyed, but there are no servlet API mechanisms that let you hook in to
the "user was authenticated" event.  You could write a Tomcat-specific
mechanism to do that, but for a portable application the filter approach
seems to me to be the best.

> Thanks,
> Kevin HaleBoyes
>

Craig


Mime
View raw message