On 14/05/2010 08:22, Shaun Senecal wrote: > Is there already an existing way to log user login and logout events? > Can it be extended? I need to provide an audit trail, including login > activity, in a database. > > I was thinking I might need to implement an HttpSessionListener which > does the logging on session creation/deletion, but then I wasn't sure > if those would be called multiple times when session replication was > enabled. Does anyone know for sure?
An HttpSessionListener won't fire when a login occurs, but will provide you with ability to log the point at which the session invalidates, which may equate to a logout in your environment. Replication fires the methods of HttpSessionActivationListener. You can subclass a Realm (DataSourceRealm) or an Authenticator (FormAuthenticator) to add additional logging during login events, which'll allow you to log success/failure. It's worth exploring the Tomcat 6 (you didn't mention your version) additional Realms (e.g. LockOutRealm). p > Shaun > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
signature.asc
Description: OpenPGP digital signature
