Detecting a login or logoff event

2011-10-06 Thread Martin O'Shea 
I need to be able to intercept a successful authentication of a login / logout 
request which can then be used to make a series of system updates to record the 
fact.

So, if John Doe has just logged in successfully, an update is made to his 
session like:

session.setAttribute(loggedIntoSession, true);

Or an update made to the database?

Conversely, upon logout:

session.setAttribute(loggedIntoSession, false);

At the moment, I am thinking about scriptlets in the pages served testing the 
request's servlet path after login is successful but is a filter better? But if 
so, what might a filter check for?

-Original Message-
From: Martin O'Shea [mailto:app...@dsl.pipex.com] 
Sent: 05 Oct 2011 23 06
To: 'Tomcat Users List'
Subject: RE: Using multiple login pages

Thanks for this Chris. It is food for thought.

I was under the impression that form-login-page was static, because that's 
how I seen it used in apps I've worked on.

But I am curious to try a filter as well, something like this mapped to the 
login:

public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain) throws java.io.IOException, ServletException {


  HttpServletRequest req = (HttpServletRequest)request;
  HttpServletResponse res = (HttpServletResponse)response;

  // pre login action
  
  // get username 
  String username = req.getParameter(j_username);

  // if user is in revoked list send error
  if ( revokeList.contains(username) ) {
  res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
  return;
  }
  
  // call next filter in the chain : let j_security_check authenticate 
  // user
  chain.doFilter(request, response);

  // post login action

   }

I wouldn't mind seeing a servlet specified as form-login-page if you know of 
an example.

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Martin,

On 10/5/2011 1:59 PM, Martin O'Shea wrote:
 I have it now. There was a redirection going on in a method called 
 from a scriptlet in the login page. It now seems to be OK.

Glad you got it going.

 But one thing bugs me still: you said that you can have 'different 
 login pages for different types of resources you're trying to
 reach.' Can you give any pointers about this?

A page is defined as whatever the server responds when you request a
resource. The form-login-page you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static form that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the login-form-page to be a servlet that makes
decisions and forwards to some other .jsp file.

Use your imagination.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Detecting a login or logoff event

2011-10-06 Thread Chema 
For logout, you can implement a HttpSessionListener .
It has got a method:

public void sessionDestroyed(HttpSessionEvent se)

It's invoked when http session is invalidated. ( session.invalidated() )

So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button and calls a servlet )
To capture when user is closing the browser , you need use javascript events
and throw a call to the server. Maybe, a filter can be use to capture this
event

For login, you can use Spring Security
Maybe for logout too, but I don't know it
Or your use your own filters




2011/10/6 Martin O'Shea app...@dsl.pipex.com

 I need to be able to intercept a successful authentication of a login /
 logout request which can then be used to make a series of system updates to
 record the fact.

 So, if John Doe has just logged in successfully, an update is made to his
 session like:

 session.setAttribute(loggedIntoSession, true);

 Or an update made to the database?

 Conversely, upon logout:

 session.setAttribute(loggedIntoSession, false);

 At the moment, I am thinking about scriptlets in the pages served testing
 the request's servlet path after login is successful but is a filter better?
 But if so, what might a filter check for?

 -Original Message-
 From: Martin O'Shea [mailto:app...@dsl.pipex.com]
 Sent: 05 Oct 2011 23 06
 To: 'Tomcat Users List'
 Subject: RE: Using multiple login pages

 Thanks for this Chris. It is food for thought.

 I was under the impression that form-login-page was static, because
 that's how I seen it used in apps I've worked on.

 But I am curious to try a filter as well, something like this mapped to the
 login:

 public void doFilter(ServletRequest request, ServletResponse response,
 FilterChain chain) throws java.io.IOException, ServletException {


  HttpServletRequest req = (HttpServletRequest)request;
  HttpServletResponse res = (HttpServletResponse)response;

  // pre login action

  // get username
  String username = req.getParameter(j_username);

  // if user is in revoked list send error
  if ( revokeList.contains(username) ) {
  res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
  return;
  }

  // call next filter in the chain : let j_security_check authenticate
  // user
  chain.doFilter(request, response);

  // post login action

   }

 I wouldn't mind seeing a servlet specified as form-login-page if you know
 of an example.

 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: 05 Oct 2011 22 08
 To: Tomcat Users List
 Subject: Re: Using multiple login pages

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Martin,

 On 10/5/2011 1:59 PM, Martin O'Shea wrote:
  I have it now. There was a redirection going on in a method called
  from a scriptlet in the login page. It now seems to be OK.

 Glad you got it going.

  But one thing bugs me still: you said that you can have 'different
  login pages for different types of resources you're trying to
  reach.' Can you give any pointers about this?

 A page is defined as whatever the server responds when you request a
 resource. The form-login-page you configure in your web.xml can be
 dynamic: you can do whatever you want in that page. It doesn't have to
 be a static form that always looks the same. You can
 include/forward/etc from that page. It doesn't even have to be a JSP.
 You can configure the login-form-page to be a servlet that makes
 decisions and forwards to some other .jsp file.

 Use your imagination.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
 Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
 =A5GW
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Detecting a login or logoff event

2011-10-06 Thread Martin O'Shea 
Unfortunately I'm not using spring in my application but thanks anyway.

-Original Message-
From: Chema [mailto:demablo...@gmail.com] 
Sent: 06 Oct 2011 15 02
To: Tomcat Users List
Subject: Re: Detecting a login or logoff event

For logout, you can implement a HttpSessionListener .
It has got a method:

public void sessionDestroyed(HttpSessionEvent se)

It's invoked when http session is invalidated. ( session.invalidated() )

So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button and calls a servlet ) To capture when user is closing
the browser , you need use javascript events and throw a call to the server.
Maybe, a filter can be use to capture this event

For login, you can use Spring Security
Maybe for logout too, but I don't know it Or your use your own filters




2011/10/6 Martin O'Shea app...@dsl.pipex.com

 I need to be able to intercept a successful authentication of a login 
 / logout request which can then be used to make a series of system 
 updates to record the fact.

 So, if John Doe has just logged in successfully, an update is made to 
 his session like:

 session.setAttribute(loggedIntoSession, true);

 Or an update made to the database?

 Conversely, upon logout:

 session.setAttribute(loggedIntoSession, false);

 At the moment, I am thinking about scriptlets in the pages served 
 testing the request's servlet path after login is successful but is a
filter better?
 But if so, what might a filter check for?

 -Original Message-
 From: Martin O'Shea [mailto:app...@dsl.pipex.com]
 Sent: 05 Oct 2011 23 06
 To: 'Tomcat Users List'
 Subject: RE: Using multiple login pages

 Thanks for this Chris. It is food for thought.

 I was under the impression that form-login-page was static, because 
 that's how I seen it used in apps I've worked on.

 But I am curious to try a filter as well, something like this mapped 
 to the
 login:

 public void doFilter(ServletRequest request, ServletResponse response, 
 FilterChain chain) throws java.io.IOException, ServletException {


  HttpServletRequest req = (HttpServletRequest)request;
  HttpServletResponse res = (HttpServletResponse)response;

  // pre login action

  // get username
  String username = req.getParameter(j_username);

  // if user is in revoked list send error
  if ( revokeList.contains(username) ) {

res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
  return;
  }

  // call next filter in the chain : let j_security_check authenticate
  // user
  chain.doFilter(request, response);

  // post login action

   }

 I wouldn't mind seeing a servlet specified as form-login-page if you 
 know of an example.

 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: 05 Oct 2011 22 08
 To: Tomcat Users List
 Subject: Re: Using multiple login pages

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Martin,

 On 10/5/2011 1:59 PM, Martin O'Shea wrote:
  I have it now. There was a redirection going on in a method called 
  from a scriptlet in the login page. It now seems to be OK.

 Glad you got it going.

  But one thing bugs me still: you said that you can have 'different 
  login pages for different types of resources you're trying to 
  reach.' Can you give any pointers about this?

 A page is defined as whatever the server responds when you request a 
 resource. The form-login-page you configure in your web.xml can be
 dynamic: you can do whatever you want in that page. It doesn't have to 
 be a static form that always looks the same. You can 
 include/forward/etc from that page. It doesn't even have to be a JSP.
 You can configure the login-form-page to be a servlet that makes 
 decisions and forwards to some other .jsp file.

 Use your imagination.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
 Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
 =A5GW
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Detecting a login or logoff event

2011-10-06 Thread Caldarale, Charles R 
 From: Martin O'Shea [mailto:app...@dsl.pipex.com] 
 Subject: Detecting a login or logoff event

 I need to be able to intercept a successful authentication of a 
 login / logout request which can then be used to make a series
 of system updates to record the fact.

 I am thinking about scriptlets in the pages served testing the 
 request's servlet path after login is successful

If the integrity of your information is dependent on actions of the client, you 
have no data integrity.  There's nothing stopping a client from disabling 
scripts, running their own scripts, or doing anything else by accident or 
intent - you cannot control that.  Anything you do for tracking must be done on 
the server side.

You probably can use a filter, but a Listener might be more appropriate.  See 
section 10 of the servlet spec.  (Make sure you're looking at the current spec 
for the Tomcat version you're using; the 2.2 spec you referenced earlier is 
badly out of date.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

RE: Detecting a login or logoff event

2011-10-06 Thread Martin O'Shea 
I had thought to use scriptlets.

But I've rigged a filter on the server which tests for the mappings of the few 
protected pages which require logins. It seems to work and update session 
variables which is what I'm after. My issue is that a session may well have 
been created prior to login so using a listener here via sessionCreated may not 
be useful.

Detecting a logoff is easier using the sessionDestroyed method.

-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] 
Sent: 06 Oct 2011 15 05
To: Tomcat Users List
Subject: RE: Detecting a login or logoff event

 From: Martin O'Shea [mailto:app...@dsl.pipex.com]
 Subject: Detecting a login or logoff event

 I need to be able to intercept a successful authentication of a login 
 / logout request which can then be used to make a series of system 
 updates to record the fact.

 I am thinking about scriptlets in the pages served testing the 
 request's servlet path after login is successful

If the integrity of your information is dependent on actions of the client, you 
have no data integrity.  There's nothing stopping a client from disabling 
scripts, running their own scripts, or doing anything else by accident or 
intent - you cannot control that.  Anything you do for tracking must be done on 
the server side.

You probably can use a filter, but a Listener might be more appropriate.  See 
section 10 of the servlet spec.  (Make sure you're looking at the current spec 
for the Tomcat version you're using; the 2.2 spec you referenced earlier is 
badly out of date.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Detecting a login or logoff event

2011-10-06 Thread Chema 
2011/10/6 Martin O'Shea app...@dsl.pipex.com


 Detecting a logoff is easier using the sessionDestroyed method.


How do you detect that an user is closing his browser ?

Re: Detecting a login or logoff event

2011-10-06 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Martin,

On 10/6/2011 9:29 AM, Martin O'Shea wrote:
 I need to be able to intercept a successful authentication of a
 login / logout request which can then be used to make a series of
 system updates to record the fact.
 
 So, if John Doe has just logged in successfully, an update is made
 to his session like:
 
 session.setAttribute(loggedIntoSession, true);
 
 Or an update made to the database?
 
 Conversely, upon logout:
 
 session.setAttribute(loggedIntoSession, false);
 
 At the moment, I am thinking about scriptlets in the pages served 
 testing the request's servlet path after login is successful

That sounds like a fragile way to do it: you have to make sure that
all JSPs have the same scriptlet, use it properly, have error
recovery, etc.

 but is a filter better?

Absolutely: this is the kind of thing that Filters were created for.

 But if so, what might a filter check for?

That depends. If you are using FORM authentication, then this stuff is
possible. If you use HTTP BASIC/DIGEST or CLIENT-CERT, things get
complicated.

Let's assume FORM. It's simple: in your Filter, check to see if the
user is logged-in (request.getPrincipal) but there is no
loggedIntoSession token in the session. If that's the case, perform
your login procedure and then write your loggedIntoSession token
into the session.

As others have suggested, for logout you'll have to use a
HttpSessionListener. If the user was logged-in, you can get their
loggedIntoSession token (which ought to include some identifier for
them) and do whatever you want. No need to remove the
loggedInotSession token, since the session will be destroyed anyway.

We use this exact same technique to do things like update the
last-logged-in date of the user, as well as loading user-specific
preferences from the database into the session. The entire Filter
class, including blank lines, imports, comments, and specialized
methods to build the preferences objects to store in the session is a
mere 336 lines of code. This is something that is not terribly complex
to handle.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6N+FIACgkQ9CaO5/Lv0PB+nwCfR3AMFmDy3vejPIBT0IREapjA
wb4AmwZ7GOJ51pVDBrnG1m7E7x2xZhit
=NXi/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org