best practices for container managed security

[An...@bd.com]

In the past, I used programmatic security when designing my applications.
This allowed me to log attempted logins in the database and to populate the
HttpSession object with values specific to my application: login_id and the
user_id.

For my new projects, I would like to start using declarative security to
streamline my code base.  I would assume that I would have to implement an
HttpSessionListener and/or an HttpSessionActivationListener if I wanted to
monitor the creation of the session object.  This would also allow me to
log a successful login to the database, to populate the HttpSession object
with values specific to my application: login_id and the user_id.  However,
if a login fails, I am not sure how I would record a failed authentication
in the database.  My initial thoughts are that I would set the
<form-error-page> to a Struts Action that logs the failure to the database.

Are there any recommended best practices on how to handle what happens
after container managed security takes over?  I feel that my implementation
feels hokey since the logic is spread out versus centralized like it was
when I managed it myself.

TIA,
Andy


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>