tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin HaleBoyes <>
Subject FORM-based authentication question
Date Fri, 07 Sep 2001 15:48:01 GMT
I'm successfully using FORM-based logins in my application but I have
a few questions.  When a user logs in, I want to attach certain information
to the session.  Currently I use a filter that checks to see if the
request.getRemoteUser is set (or has changed) and if so, I do a database
call to get the User information, instantiate a UserClass and set it into
the session.  It works fine but...

The filter gets called for every request but only acts when a user logs in.
Sure the test (to see if anything needs to be done) is simple and fairly
quick, but it is done for _every_ request.

Is there a better way?

I'm thinking something similar in style to the HttpSessionListener interface.
Maybe an AuthenticationListener.  Tomcat 4 (or any Servlet 2.3 container :)
"knows" when a user has been authenticated (or, for that matter, when the
authentication/session times out) but I don't see any way to hook into that
event.  The timed out session information can be had using the
HttpSessionListener.sessionDestroyed() method and my application knows
if, in the very rare case :-) that a user actually logs out.  But notification
of an authentification seems to be missing (from the spec).

The HttpSessionListener.sessionCreated() method doesn't do what I want since
a session is created even when a user is not authenticated.

How do others attach information to the session once a user has been

Kevin HaleBoyes

Do You Yahoo!?
Get your free address at
or your free address at

View raw message