On Fri, Oct 31, 2003 at 03:48:09PM -0500, Neal Sanche wrote: > Hi All, > > I'm looking at writing a custom login module to track logins to a web > application and write the successes and failures to a database table. > I am wondering if there's currently other ways to hook into the > authentication process to track these things. Here's specifically > what I'm thinking of doing: > > - Implement a subclass of DatabaseLoginModule and 'augment' some of > the methods to learn about whether the login was a success or not. > - Put the login module into a .SAR file (is that even possible?) > within my .EAR. Or if a .SAR file is not the appropriate place, it > will go within a .JAR file inside my .EAR. > > Is anyone out there tracking logins in a different way? >
If this is a web application only (i.e. no stand-alone client accessing EJB's etc.) then using a LoginModule is overkill IMO :) We use a javax.servlet.Filter for this purpose in our application. The filter is setup to filter all requests for the application. When a http-request is made to the application the filter performs these steps: Check if a "token-object" is bound to the user's HttpSession. If it's not then check if the user has logged in to the applicaton (request.getUserPrincipal() != null). If the user is logged in - create the "token-object" and add it to the HttpSession. The "token-object" would be an object that implements the HttpSessionBindingListener interface and could write to the database on the valueBound()/valueUnbound() callback methods. This is also a nice way to keep track of "extra" login information (such as full name, email address etc.) when using j2ee declarative security. HTH, Cheers :) //Anders -- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Anders Engstr�m [EMAIL PROTECTED] . http://www.gnejs.net PGP-Key: ED010E7F . [Your mind is like an umbrella. It doesn't work unless you open it.]
signature.asc
Description: Digital signature
