I've vaguely uncomfortable suggesting it, but how about using a Session Listener ? You could have a class implement the javax.servlet.http.HttpSessionListener interface, and be notified of such events as creation, invalidation and time-out of the session. If CMA is accomplished through sessions (which for Tomcat and form-auth, I believe it is) you can do your post-auth setup here. Potential problems: Where in the AUTH process does the session get created? Does Tomcat create a session, even if the AUTH failed? This would invalidate this whole idea. The creation of a session object would no longer imply that the session owner is Authenticated. Also, what happens with session timeouts ? Are there issues to be aware of here? Concurrency: Your listener class would be invoked by the container and if your post-auth tasks took a long enough time, a user might click something on the interface (that they got to after being AUTH'd), and perhaps the post-auth setup has not completed yet. Are you convinced that a filter would be too much load ? The filter could simply test for the existence of one of your post-auth objects, and if it's missing, do the post-auth. Else, do nothing. Well crafted and well placed if/elses needn't add that much overhead. Is there a single point of entry to your app? How about a short piece of code here to do the post-auth? Finally, it just occurs to me that if you knew what Tomcat places into the session to indicated an Authenticated user, you could use an javax.servlet.HttpSessionAttributesListener class to listen for that particular attribute. This might be much safer than using a SessionListener, but probably far less portable, as each Container is free (or are they?) to implement CMA as they want, using whatever keys they want.
> -----Original Message----- > From: Sasha Borodin [mailto:[EMAIL PROTECTED] > Sent: Monday, July 28, 2003 11:35 AM > To: Tomcat Users List > Subject: Post-authentication tasks > > > I'd like to get some suggestions for performing > "post-authentication" tasks while using Container Managed > Authentication. > > Craig Berry suggested a filter that checks the session for > necessary attributes, and creates them if they're missing. > This check would be performed on every request however. > > Has anyone implemented a different approach to this problem? > I'd like to find a solution in which the extra tasks are > performed just ONCE, somehow triggered by the container > authentication. Please reference my previous post on a > filter vs. session attribute listener approach. > > Thanks for any suggestions. > > -Sasha Borodin > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]