notification of authentication success/failure

atomray Oct 29, 2004 9:09 PM

Hi,

In my web application I would like to store the last time the user has logged into the application. I'm using the standard Servlet 2.4 mechanisms (web.xml declarative security with Form based authentication) and JBoss's DatabaseServerLoginModule (JBoss 3.2.5).

I've been through the specs, searched the web, and looked at a great deal of the JBoss/Tomcat code searching for an efficient way to do this but the only thing I have come up with is testing the request.getRemoteUser() in a Filter that sits in front of all requests to my application, and noting when the return value becomes non-null. It works, but isn't ideal. I haven't been able to find any way to listen for some type of notification that a login attempt has occurred.

Does anyone have any suggestions?

The only other thought that occurred to me is that perhaps it would be possible to use AOP to intercept the authentication? I don't know much about AOP, is it time to learn?

Thanks,
Adam

1. Re: notification of authentication success/failure

mikefinn Nov 7, 2004 8:43 AM (in response to atomray)

You could modify the loginmodule you're using to trap login attempts or successes and record them somewhere - database, file, etc. Otherwise, I think you're limited to the solution you described. Unfortunately, there's no way I know of to intercept the login process, since the j_security_check is a container-internal URI.

mike
Actions