repost.. One thing we added to what Rabi is doing is as follows: We track version with each object. If the user object is already on the session then we get it off and double-check to make sure that the version on the session is the most up-to-date. If it isn't, then we refresh that object on the session with what's in the database. This way we're guaranteed to have the most-recent user information on the session.
This is all done in a filter that is mapped to everything, providing post-login processing. Jeff. On Wed, 13 Mar 2002 09:25:09 -0600 "Satter, Rabi" <[EMAIL PROTECTED]> wrote: > I had the same issue. We did do it as a filter. However we checked to see if > the a user context object (ie object where the informaiton was stored) > existed in the session. If not then checked to see if the user was logged > in. If not then skip setting up the object. Works pretty good. > > -----Original Message----- > From: Aaron Tavistock [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 12, 2002 1:44 PM > To: Orion-Interest > Subject: J2EE Security issue... > > > We've been using J2EE based security for some time now, its working great > for us supporting several hundred users distributed across a handful of > servers. > > Heres my issue - I have a set of things that happen on every page, a portion > of which is looking for a 'new' login which then launches a series of things > including doing database lookups, dropping stuff in the session, etc. > > Its occured to me that it would be significantly more effective if this was > chained off the J2EE authentication, instead of checking on each page. I > started looking into it and it looks like 1) its not part of the spec and 2) > Orion has no specific implementation. The current implementation of J2EE > security is so completely handled by the container that theres no way to get > something in there. > > I then started going down the question of 'what is J2EE security except a > filter?', so I could potentially chain a filter through there? It doesn't > solve the problem because it still happens on each page hit. > > Anyone have any ideas on the best way to do 'postprocessing' when the user > is authenticated? > -- Jeff Hubbach Internet Developer Sun Certified Web Component Developer New Media Division ITQ Lata, L.L.C. 303-745-4763 x3114 -- Jeff Hubbach Internet Developer Sun Certified Web Component Developer New Media Division ITQ Lata, L.L.C. 303-745-4763 x3114