Java EE authentication: how to capture login event?

by

There’s no such event in Java EE. Yet. As part of JSR375, container managed security will be totally reworked as it’s currently scattered across different container implemantations and is not cross-container compatible. This is outlined in this Java EE 8 Security API presentation.

There’s already a reference implementation of Security API in progress, Soteria, developed by among others my fellow Arjan Tijms. With the new Security API, CDI will be used to fire authentication events which you can just @Observes. Discussion on the specification took place in this mailing list thread. It’s not yet concretely implemented in Soteria.

Until then, assuming FORM based authentication whereby the user principal is internally stored in the session, your best bet is manually checking in a servlet filter if there’s an user principal present in the request while your representation of the logged-in user is absent in the HTTP session.

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
    HttpServletRequest request = (HttpServletRequest) req;
    String username = request.getRemoteUser();

    if (username != null && request.getSession().getAttribute("user") == null) {
        // First-time login. You can do your thing here.
        User user =  yourUserService.find(username);
        request.getSession().setAttribute("user", user);
    }

    chain.doFilter(req, res);
}

Do note that registering a filter on /j_security_check is not guaranteed to work as a decent container will handle it internally before the first filters are hit, for obvious security reasons (user-provided filters could manipulate the request in a bad way, either accidentally or awarely).

If you however happen to use a Java EE server uses the Undertow servletcontainer, such as WildFly, then there’s a more clean way to hook on its internal notification events and then fire custom CDI events. This is fleshed out in this blog of Arjan Tijms. As shown in the blog, you can ultimately end up with a CDI bean like this:

@SessionScoped
public class SessionAuthListener implements Serializable {

    private static final long serialVersionUID = 1L;

    public void onAuthenticated(@Observes AuthenticatedEvent event) {
        String username = event.getUserPrincipal().getName();
        // Do something with name, e.g. audit, 
        // load User instance into session, etc
    }

    public void onLoggedOut(@Observes LoggedOutEvent event) {
        // take some action, e.g. audit, null out User, etc
    }
}

More Related Contents:

  1. How to exclude one url from authorization
  2. How can I upload files to a server using JSP/Servlet?
  3. PowerMockito mock single static method and return object
  4. Can someone explain mappedBy in JPA and Hibernate?
  5. Why does JPA have a @Transient annotation?
  6. What to learn for making Java web applications in Java EE 6? [closed]
  7. What are good InstallAnywhere replacements for installing a Java EE application?
  8. Java EE specification and multi threading
  9. Cannot create JDBC driver of class ‘ ‘ for connect URL ‘null’ : I do not understand this exception
  10. Httpclient 4, error 302. How to redirect?
  11. How to use Jersey as JAX-RS implementation without web.xml?
  12. No Persistence provider for EntityManager named X
  13. Hibernate, iBatis, Java EE or other Java ORM tool
  14. Does JAXB support xsd:restriction?
  15. Stateless and Stateful Enterprise Java Beans
  16. Websocket Authentication and Authorization in Spring
  17. dll missing in JDBC
  18. Sending POST request with username and password and save session cookie
  19. Customize authentication failure response in Spring Security using AuthenticationFailureHandler
  20. Responsibilities and use of Service and DAO Layers
  21. How to properly logout of a Java EE 6 Web Application after logging in
  22. Eclipse Web Project Dependencies
  23. Java Web Service client basic authentication
  24. JEE7: Do EJB and CDI beans support container-managed transactions?
  25. How do you enable JMX in Websphere?
  26. Hibernate Criteria for Dates
  27. PersistenceUnit vs PersistenceContext
  28. how to set header no cache in spring mvc 3 by annotation
  29. Java EE Enterprise Application: perform some action on deploy/startup [duplicate]
  30. Session TimeOut in web.xml

Leave a Comment