tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin O'Shea" <app...@dsl.pipex.com>
Subject Detecting a login or logoff event
Date Thu, 06 Oct 2011 13:29:04 GMT
I need to be able to intercept a successful authentication of a login / logout request which
can then be used to make a series of system updates to record the fact.

So, if John Doe has just logged in successfully, an update is made to his session like:

session.setAttribute("loggedIntoSession", true);

Or an update made to the database?

Conversely, upon logout:

session.setAttribute("loggedIntoSession", false);

At the moment, I am thinking about scriptlets in the pages served testing the request's servlet
path after login is successful but is a filter better? But if so, what might a filter check
for?

-----Original Message-----
From: Martin O'Shea [mailto:appy74@dsl.pipex.com] 
Sent: 05 Oct 2011 23 06
To: 'Tomcat Users List'
Subject: RE: Using multiple login pages

Thanks for this Chris. It is food for thought.

I was under the impression that <form-login-page> was static, because that's how I seen
it used in apps I've worked on.

But I am curious to try a filter as well, something like this mapped to the login:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws java.io.IOException, ServletException {


      HttpServletRequest req = (HttpServletRequest)request;
      HttpServletResponse res = (HttpServletResponse)response;

      // pre login action
      
      // get username 
      String username = req.getParameter("j_username");

      // if user is in revoked list send error
      if ( revokeList.contains(username) ) {
      res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
      return;
      }
      
      // call next filter in the chain : let j_security_check authenticate 
      // user
      chain.doFilter(request, response);

      // post login action

   }

I wouldn't mind seeing a servlet specified as <form-login-page> if you know of an example.

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> I have it now. There was a redirection going on in a method called 
> from a scriptlet in the login page. It now seems to be OK.

Glad you got it going.

> But one thing bugs me still: you said that you can have 'different 
> login pages for different types of resources you're trying to
> reach.' Can you give any pointers about this?

A "page" is defined as whatever the server responds when you request a
resource. The <form-login-page> you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static <form> that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the <login-form-page> to be a servlet that makes
decisions and forwards to some other .jsp file.

Use your imagination.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message