Spring-Security: Call method after authentication

Question

I\'d like to track when users are logging in to my application. I have some code that I would like to execute right after the user is authenticated. The problem is, I can\'t fig

Answer 1

Authentication does not necessarily imply successful login. A user can be successfully authenticated via, e.g., two-way SSL (X.509 certs), and still Spring Security will redirect you to an error page if session concurrency management is set up with max-sessions="1" and this is a second concurrent login attempt. If your setup is simple, without session concurrency control, you can assume login = authentication for all practical purposes. Otherwise, if you have, e.g., logic that records every successful login in a database, you will have to invoke this logic at the point of actual login, not at the point of authentication. One way (by no means optimal, subject to my limited understanding of the Spring Security framework) to do this is to implement your own ConcurrentSessionControlAuthenticationStrategy (click here for the source code) and inject it into CompositeSessionAuthenticationStrategy in your Spring Security (3.2 and above) configuration XML:

    .
    .
    
    .
    .

.
.

    
        
            
                
                
                
            
            
            
                
            
        
    

I would have preferred to inject a custom PostLogin handler into the framework's ConcurrentSessionControlAuthenticationStrategy, instead of copy-pasting from it into my custom ConcurrentSessionControlAuthenticationStrategy and making modifications to it, but I do not know of a way to do this at the moment.

A more complete configuration example can be found here.