I figured you would say to use a realm, but I was hoping there was another way :) I'm using OpenSSO, which requires the use of its own Realm. I will see if I can extend it to add the login auditing and still have everything work.
Using Tomcat 6, sorry I forgot to mention that. I will take a look at the LockOutRealm, but unless I can have multiple realms it might not help me here. Thanks for the tip. I'll give it a try. Shaun On Fri, May 14, 2010 at 4:36 PM, Pid <p...@pidster.com> wrote: > On 14/05/2010 08:22, Shaun Senecal wrote: >> Is there already an existing way to log user login and logout events? >> Can it be extended? I need to provide an audit trail, including login >> activity, in a database. >> >> I was thinking I might need to implement an HttpSessionListener which >> does the logging on session creation/deletion, but then I wasn't sure >> if those would be called multiple times when session replication was >> enabled. Does anyone know for sure? > > An HttpSessionListener won't fire when a login occurs, but will provide > you with ability to log the point at which the session invalidates, > which may equate to a logout in your environment. > > Replication fires the methods of HttpSessionActivationListener. > > You can subclass a Realm (DataSourceRealm) or an Authenticator > (FormAuthenticator) to add additional logging during login events, > which'll allow you to log success/failure. > > It's worth exploring the Tomcat 6 (you didn't mention your version) > additional Realms (e.g. LockOutRealm). > > > p > > > >> Shaun >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
