> Where in the AUTH process does the session get created? Does Tomcat > create a session, even if the AUTH failed? This would invalidate this > whole idea. The creation of a session object would no longer imply that > the session owner is Authenticated. >From my observations, a session is created (and cookie sent to browser) as soon as the login form is requested (before the authentication takes place). So this would make a SessionListener not useful unfortunately.
> Are you convinced that a filter would be too much load ? > Is there a single point of entry to your app? How about a short piece > of code here to do the post-auth? I the overhead would be negligible (compared to some of my other design choices :-), but I always try to eliminate extra work for the app when possible. If I can figure out a way to catch the authentication, rather than check every request, I'd be happier... > Finally, it just occurs to me that if you knew what Tomcat places into > the session to indicated an Authenticated user, you could use an > javax.servlet.HttpSessionAttributesListener class to listen for that > particular attribute. That is precisely what I'm investigating. I'm trying to figure out if and under what key Tomcat stores the user Principal upon authentication in the session. If I can figure this out (I'm sifting through the code right now), I can set up an HttpSessionAttributesListener to look for the binding of that attribute, and fire off my post-login tasks based on that event. However, a big drawback would be if the key name, or Object class were container specific - I'm trying to keep the app container-neutral, other than my realm classes. I have not found any implementation details concerning this in the Servlet spec document, so I'm afraid it's up to the vendor. If anyone's got some light to shed on user Principal storage and standardization, please drop us a line. Thank you! -Sasha Borodin >> -----Original Message----- >> From: Sasha Borodin [mailto:[EMAIL PROTECTED] >> Sent: Monday, July 28, 2003 11:35 AM >> To: Tomcat Users List >> Subject: Post-authentication tasks >> >> >> I'd like to get some suggestions for performing >> "post-authentication" tasks while using Container Managed >> Authentication. >> >> Craig Berry suggested a filter that checks the session for >> necessary attributes, and creates them if they're missing. >> This check would be performed on every request however. >> >> Has anyone implemented a different approach to this problem? >> I'd like to find a solution in which the extra tasks are >> performed just ONCE, somehow triggered by the container >> authentication. Please reference my previous post on a >> filter vs. session attribute listener approach. >> >> Thanks for any suggestions. >> >> -Sasha Borodin >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
