Need help in reporting of protected resources in web application

Hi,
I am using form based authentication for viewing protected resources of my web application. By j_security_check, it authenticates the user and if authentication is successful, then user can view protected resources of the site.

Now I want to generate a report of which protected resources are accessed by which user along with its timestamp.

Now my question is can I generate this report by j_security_check. I am not sure how should I call my ReportingDAO from web tier as with j_security_check the whole authentication is done by container itself.

Thanks

You can use a filter that is invoked for all requests. Use the isUserInRole method to find the role and you can get the query string as well. Log it and then pass it on to the servlet.

Originally posted by John Meyers:
You can use a filter that is invoked for all requests. Use the isUserInRole method to find the role and you can get the query string as well. Log it and then pass it on to the servlet.

Thanks John for your reply. So if I use a filter, how user is going to be authenticated. Do I have to write database code for authentication or can I use the same FORM authentication of container? How the flow is going to be?

Thanks once again

Naseem

This is what I have done for form based authentication...

<security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/pdfs/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>manager</role-name> <role-name>user</role-name> <role-name>admin</role-name> </auth-constraint> </security-constraint> <!-- Default login configuration uses form-based authentication --> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/registration/login.jsp</form-login-page> <form-error-page>/registration/login_error.jsp</form-error-page> </form-login-config> </login-config>

Now, if user is not authenticated, login page opens. In login.jsp, I have a form whose action I have set to j_security_check. Form fields are j_user_name and j_password.

<filter> <filter-name>LoginFilter</filter-name> <filter-class>com.filters.LoginFilter</filter-class> </filter> <filter-mapping> <filter-name>LoginFilter</filter-name> <url-pattern>/j_security_check</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>

I mapped a login filter with the url pattern /j_security_check. So from login.jsp, when user submits the login page, Login filter should be called.

I don't know why my LoginFilter is not called? Filter gets called only when I change url-pattern of LoginFilter to /pdfs/* (i.e., same as the url patter n of the protected resource)

Can anyone please help me in this regard

I am deploying my web application on tomcat. Is it a bug of tomcat?


Thanks
[ January 06, 2007: Message edited by: Naseem Khan ]

Guys, could you please help me. Is this possible or not? If not then is there any other way of doing it.

Naseem

Since that seems to be a FAQ, I've added an entry to the Servlets FAQ.
[ January 08, 2007: Message edited by: Ulf Dittmer ]