5 Replies Latest reply on Jul 13, 2006 9:58 PM by warren crossing

    Adding data to session after login

    Paul Anderson Newbie


      Can anyone give me a best practice answer on adding information to the session immediately after successfully authenticating a user?

      I am currently using the DatabaseServerLoginModule and have my users and roles etc in a database. If the user has provided a valid username and password through j_username and j_password and is authenticated I want to run a query to select some data from the database and add it to the session.

      I was thinking that I just need to subclass the DatabaseServerLoginModule and overide either the "login()" or "commit()" method in it's parent class which authenticates the user... this way I could tag on my "select" at the end and put the result in the session.....

      Is this the right way to go?


        • 1. Re: Adding data to session after login
          Benjamin Hough Newbie

          did you ever find your solution for this? i want to do the exact same thing, can't find any other related threads that seem to deal with this issue.

          • 2. Re: Adding data to session after login
            warren crossing Newbie

            The flaw is that loginmodule and request sessions are not interoperable

            I propose a solution thus,

            after requesting j_login_config and performing a successful login automaticall redirected to the protected resource. Perhaps you need to use a FilterChain mapping on * and call getUserPrinciapl then cast the ServletRequest to HttpServletRequest and get the session. Check the session for the principal is null or equality. If it is null or not not equal, then the user has logged in or relogged in.

            Hope this help/works

            • 3. Re: Adding data to session after login
              chris griffith Expert


              Warrenc6 is leading you in the wrong direction.

              Your idea to extend DatabaseServerLoginModule is a good choice. In order for you to access the HttpSession from you login module you will need to see http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication

              let us know if you need more help, cgriffith

              • 4. Re: Adding data to session after login
                Paul Anderson Newbie

                Hi j2ee_junkie,

                Yes, thanks for that. I had come to the same conclusion a little while ago now. I have indeed settled for my original idea which is to populate some beans via a database query during the login process. i.e. If the user has logged in successfully then I query the database and then put the populated beans in the session for future use.

                'anavailablename', if you are still stuck with what to do you could always try this:

                public class DBLoginModule extends DatabaseServerLoginModule {
                 /** The JACC PolicyContext key for the current Subject */
                 public static final String WEB_REQUEST_KEY = "javax.servlet.http.HttpServletRequest";
                 public boolean login() throws LoginException {
                 boolean loginAccepted = super.login();
                 if(loginAccepted) {
                 HttpServletRequest request = null;
                 HttpSession session = null;
                 try {
                 request = (HttpServletRequest) PolicyContext.getContext(WEB_REQUEST_KEY);
                 session = ((HttpServletRequest) request).getSession(true);
                 } catch(PolicyContextException e) {
                 log.error("Unable to retrieve Policy Context: "+e.getMessage());
                 return false;
                 // make your database queries here and populate beans
                 // add to session
                 // NB: if you need to due to errors or other problems you can always revoke
                 // the login at any point by setting loginAccepted to false.
                 return loginAccepted;

                • 5. Re: Adding data to session after login
                  warren crossing Newbie

                  Glad that it works.

                  Point to note however, from a code design perspective you are assuming that your loginmodule is on the same machine/process as jboss-tomcat.

                  For arguments sake say loginmodule was a proxy to another loginmodule on another platform. You totally lose portability.

                  That is not C.O.O.L. ! Bad PolicyContext bad PolicyContext

                  If PolicyContext was a cat, I wouldn't feed it.