Rule #1 in SSO. Your app may not be the one that actually initiated the login. Because, by definition, some other secured app may have been the one logged into - it's SINGLE signon!
Therefore you cannot assume that your app will be able to do post-login processing, since login might have actually happened hours ago on some other app and even on some other server.
This is one of the reasons why J2EE doesn't have a listenable "login" event. In container-managed security, the authentication (login) process is supposed to be totally transparent. Login is done on the first access to any secured URL, or not at all if no secured URLs are requested.
I don't particularly like being forced to a "home page" post-login myself anyway, since I have bookmarkable URLs for fast direct access to frequently-used functions within apps. But that's a personal preference.
While there's no official API for handling logins, there is a simple way of determining that a user has transitioned from insecure to secure modes. Keep a session variable that holds the user ID. Check incoming requests to see if the user ID has transitioned from NULL to NOT NULL. When the transition has occurred, the user has logged in. You can't actually tell that they logged into your particular app because the container doesn't actually log users into apps, it logs them into the Realm, but they have definitely done an SSO login.
You can maintain this mechanism in a
servlet listener and the code required is quite simple.