If you're using
J2EE standard container-managed security, the container (Tomcat, Websphere, or whatever) will intercept URLs, match them up against the
patterns defined in web.xml, and, if the need for elevated security is detected, it will shunt the URL aside, presenting the login process. Once login is complete, the original URL is then processed.
This is very convenient, since it means that you can make bookmarkable links to secured parts of the application, plus it eliminates one of my favourite ways of blowing the Do-It-Yourself security systems to shreds, since probably two-thirds of them make the false assumption that hackers are going to play by the rules. J2EE security knows better than that.
If bookmarkable links aren't important to you but landing on a specific home page after login is, you can add a
servlet filter to the webapp.
There is no actual "login" event that you can listen for in J2EE, since if the site is set up with Single Singon, the user could have done their actual login 25 minutes earlier to an entirely different application, possibly even running in an entirely different server (which might not even have been a
Java server). Or in the most extreme case, security might have been done when the user logged into their computer. So that can make things a little sticky.
But, allowing for that, there's a simple way to tell when a user has logged in, even if it's a bit indirect and after the fact.
If the request getUser and getUserPrincipal functions return null, the user is not logged in, even though, he, she, it, or whatever may have an HTTPSession object. The detection of login is as simple as detecting the transition from null to not-null. Obviously, you have to have someplace to store the prior state so you can compare, and normally that would be an HttpSession attribute.
So, if the user ID is not null, but the cached used ID for the previous request WAS null, you've caught a login. Obviously, that includes the situation where there was no previous session, so once login is detected, discard the incoming URL and forward to your home page.
It takes roughly 5-10 lines of code. If the user was logged out - either explicitly due or due to timeout, you end up with no previously-cached user ID, since the HttpSession was destroyed and that addresses your specific inquiry.