A log showing the following info (at least) must be available:
- Account who has been logged.
- Date/Time the session has been started.
- Date/Time the session has been ended (by the user or automatically due to inactivity, etc.).
Suggest that this be specified some sort of new optional service defined in the applib.
If present, then on login and logout we can call this new optional service.
I can imagine there being a requirement to surface this info in the UI, which probably means persisting to a database, ie some sort of new audit entity.
Easiest option is to have the new service could be implemented by isisaddons' isis-module-security? Or perhaps a completely new isisaddon service if don't want to couple this?
Not sure how to capture timeouts; is this info available through some sort of Wicket callback? Perhaps it should be done through a Quartz scheduler service, which can mark sessions as dead if not used for 15 minutes?