I want to log every login in my web application. I was able to access the logins which take place through UsernamePasswordAuthenticationFilter but I don't know how to log users who log in using remember-me functionality. I tried overriding the
createSuccessfulAuthentication(HttpServletRequest request, UserDetails user)
of TokenBasedRememberMeServices, but then logouts are recorded too, because the remember-me service re-authenticates the user.
The best way of logging authentication success and failures is to use a Spring ApplicationListener.
Spring Security publishes various events for authentication success and failure which you can listen for. Events are also published when access is denied to a resource.
You can look at LoggerListener as an example. Start by adding one of those to your application context and it will automatically log authentication events at warn level.
Regarding remember-me logins, if you logout and then access the site immediately afterwards, and are re-authenticated using a remember-me cookie, then technically that is the same as any other remember-me authentication, so there's not much you can do about it.
However, if your logout success URL is passing through the remember-me filter, and that is how the new session is being created (without any additional action from the user), then simply omit it that page from the security filter chain.
For logging each sucessful login i think best way is to create LoginSucessHandler and specify authentication-success-handler for normal login as well as remember-me. i have done this with below code and configuration.
@Service
public class LoginSucessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
User user = (User) authentication.getPrincipal();
// record login success of user
super.onAuthenticationSuccess(request, response, authentication);
}
}
<http auto-config="true" use-expressions="true">
<form-login login-page="/login"
authentication-failure-url="/login.hst?error=true"
**authentication-success-handler-ref="loginSucessHandler"** />
<logout invalidate-session="true" logout-success-url="/home"
logout-url="/logout" />
<remember-me key="jbcp" **authentication-success-handler-ref="loginSucessHandler"**/>
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
I think in your case will help solution when you will use your custom filter, which will intercept every request to your application. In this filter you can log username for every request.
Here I described how to add your custom filter. You just need to change functionality to what you want. And don't forhet to put your filter after security filter chain in web.xml.
