In the past, I used programmatic security when designing my applications. This allowed me to log attempted logins in the database and to populate the HttpSession object with values specific to my application: login_id and the user_id.
For my new projects, I would like to start using declarative security to streamline my code base. I would assume that I would have to implement an HttpSessionListener and/or an HttpSessionActivationListener if I wanted to monitor the creation of the session object. This would also allow me to log a successful login to the database, to populate the HttpSession object with values specific to my application: login_id and the user_id. However, if a login fails, I am not sure how I would record a failed authentication in the database. My initial thoughts are that I would set the <form-error-page> to a Struts Action that logs the failure to the database. Are there any recommended best practices on how to handle what happens after container managed security takes over? I feel that my implementation feels hokey since the logic is spread out versus centralized like it was when I managed it myself. TIA, Andy -- To unsubscribe, e-mail: <mailto:struts-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-user-help@;jakarta.apache.org>