I'm successfully using FORM-based logins in my application but I have
a few questions. When a user logs in, I want to attach certain information
to the session. Currently I use a filter that checks to see if the
request.getRemoteUser is set (or has changed) and if so, I do a database
call to get the User information, instantiate a UserClass and set it into
the session. It works fine but...
The filter gets called for every request but only acts when a user logs in.
Sure the test (to see if anything needs to be done) is simple and fairly
quick, but it is done for _every_ request.
Is there a better way?
I'm thinking something similar in style to the HttpSessionListener interface.
Maybe an AuthenticationListener. Tomcat 4 (or any Servlet 2.3 container :)
"knows" when a user has been authenticated (or, for that matter, when the
authentication/session times out) but I don't see any way to hook into that
event. The timed out session information can be had using the
HttpSessionListener.sessionDestroyed() method and my application knows
if, in the very rare case :-) that a user actually logs out. But notification
of an authentification seems to be missing (from the spec).
The HttpSessionListener.sessionCreated() method doesn't do what I want since
a session is created even when a user is not authenticated.
How do others attach information to the session once a user has been
authenticated?
Thanks,
Kevin HaleBoyes
____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie
