Announcement Announcement Module
Collapse
No announcement yet.
Point me in the right direction - LogoutFilter? LoggerListener? something else? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Point me in the right direction - LogoutFilter? LoggerListener? something else?

    I need to implement/add some functionality to an app that already uses Spring Security. Currently we are using Form based login with our own JDBC based user details service and optional 'remember me'. That could change sometime in the future (maybe LDAP?) or not.

    But what I need to add is the ability to log, in a DB preferably, when a user logs in, what their user ID is, their remote IP and so on. I wrote an experimental class that extends LoggerListener and I can capture that info by looking for certain events - although the session ID changes after I log it (I think I understand why, but I want to capture the real session ID that is set later - for debugging purposes).

    I would also like to log the following:

    1) When they logout and what the session ID was. I am not really seeing how to do this reliably in a LoggerListener.

    2) Maybe if they try to login or access something and their session has expired and they have to reauthenticate.

    3) When someone attempts to login and it fails - along with relevant info (their IP addy and who they tried to login as). I can see this in the listener if I listen for the AuthenticationFailureBadCredentialsEvent and such.

    Anyway, some of this I am capturing already, but with a lot of instanceof checking on the events and so on. It seems crude and not very robust, and some data I am not seeing how to capture.

    Ideas? Examples?

    A combination of the LogoutFilter, or a logout handler and the logger listener?

    Purely a bunch of security filters?

    Some other approach I am missing?

    Thanks.

  • #2
    I decided to implement a logout handler which broadcasts a logout event. I insert it into the filter chain before the existing logout filter (I think). And then I have a LoggerListener which captures the various security events I want to record in a DB.

    The following is from my security context, but I think it is wrong:

    Code:
    <beans:bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
            <beans:constructor-arg index="0" value="/login.jsp?logout=1" /> <!-- URL redirected to after logout -->
            <beans:constructor-arg index="1">
                <beans:list>
                    <beans:ref bean="logoutBroadcaster"/>
                    <beans:ref bean="rememberMeServices"/>
                    <beans:bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
                </beans:list>
            </beans:constructor-arg>
            <custom-filter before="LOGOUT_FILTER"/>
        </beans:bean>
    I don't think I need the last two beans (remember me and the handler) in the list, because if I understand how this works correctly, there is a logout filter after this one? The one that is from the auto-config? Right?

    Comment

    Working...
    X