-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bret,
Bret Davies wrote:
> I want to be able to track who (by user defined name) logs in and
> when. Can you help me out or point me in the right direction.
I'm assuming that you are using container-manager security -- that is,
Tomcat is enforcing the authorization and does its own authentication,
etc. In that case, you can't capture the "login" event itself without
going pretty far out of your way.
I wanted to do this a while ago and determined that the best solution
for my needs was to create a filter.
My filter is applied to all URIs in my application. It checks to see if
the user is logged-in ("null != request.getUserPrincipal()"), and if
there is an attribute in the session called "user". If no such attribute
occurs, I load the user from the database and set the "last login date"
(as well as put an entry in my login_history table), and then put the
user object into the session.
This is pretty much the easiest way to do it if you ask me.
Note that you still can't record failed logins, which you may decide to
do. In order to do that, I chose to switch security mechanisms and
instead use securityfilter, which mimics the behavior of the
container-manager authentication and authorization, but is much more
configurable and pluggable IMO. Using securityfilter, I am able to
capture failed logins and record them in my database for retrospective
security auditing without resorting to container-specific code.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFv5ss9CaO5/Lv0PARAqwjAKC+gXnGpYVc7zOwAlIsVD810om2VgCeJBR+
enx4ZyblEgLl2yeDbEOyEkk=
=2VHc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
