tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin O'Shea" <>
Subject Detecting a login or logoff event
Date Thu, 06 Oct 2011 13:29:04 GMT
I need to be able to intercept a successful authentication of a login / logout request which
can then be used to make a series of system updates to record the fact.

So, if John Doe has just logged in successfully, an update is made to his session like:

session.setAttribute("loggedIntoSession", true);

Or an update made to the database?

Conversely, upon logout:

session.setAttribute("loggedIntoSession", false);

At the moment, I am thinking about scriptlets in the pages served testing the request's servlet
path after login is successful but is a filter better? But if so, what might a filter check

-----Original Message-----
From: Martin O'Shea [] 
Sent: 05 Oct 2011 23 06
To: 'Tomcat Users List'
Subject: RE: Using multiple login pages

Thanks for this Chris. It is food for thought.

I was under the impression that <form-login-page> was static, because that's how I seen
it used in apps I've worked on.

But I am curious to try a filter as well, something like this mapped to the login:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws, ServletException {

      HttpServletRequest req = (HttpServletRequest)request;
      HttpServletResponse res = (HttpServletResponse)response;

      // pre login action
      // get username 
      String username = req.getParameter("j_username");

      // if user is in revoked list send error
      if ( revokeList.contains(username) ) {
      // call next filter in the chain : let j_security_check authenticate 
      // user
      chain.doFilter(request, response);

      // post login action


I wouldn't mind seeing a servlet specified as <form-login-page> if you know of an example.

-----Original Message-----
From: Christopher Schultz [] 
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages

Hash: SHA1


On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> I have it now. There was a redirection going on in a method called 
> from a scriptlet in the login page. It now seems to be OK.

Glad you got it going.

> But one thing bugs me still: you said that you can have 'different 
> login pages for different types of resources you're trying to
> reach.' Can you give any pointers about this?

A "page" is defined as whatever the server responds when you request a
resource. The <form-login-page> you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static <form> that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the <login-form-page> to be a servlet that makes
decisions and forwards to some other .jsp file.

Use your imagination.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message