It does not have to be a filter, but it is important to get info about the successful login of the user (username, token...).

Do you know how?

Using a filter would not be the correct way here. Alfresco actually defines an AuthenticationListener interface (https://github.com/Alfresco/alfresco-remote-api/blob/master/src/main/java/org/alfresco/repo/web/auth...) which could be used in this case. The big problem is just that Alfresco does not support having more than one authentication listener (by default), and the one "spot" may already be taken by a default bean / addon module bean. I actually ran into that problem myself and had to develop a small workaround / facade (https://github.com/Acosix/alfresco-utility/blob/master/full/repository/src/main/java/de/acosix/alfre...) to support multiple listeners in an Alfresco system. There are also two different layers where authentication listeners may be invoked - one from the SSO filter layer and another from more generic user name / password login components. This requires that a custom listener or facade be registered with two beans. My rather complex (because of compatibility / flexibility concerns) configuration can be seen in https://github.com/Acosix/alfresco-utility/blob/master/full/repository/src/main/config/module-contex...

Thank you very much. Your input is very useful.

To be more precise, I want to find the IP address of the client for the currently authenticated user. This info should be used later in my custom PermissionService.

The IP I can fetch using HttpServletRequest#getRemoteAddr(). But I have to relate this client IP info with the user. I thought that ticket and username (because the user can connect from different clients at the same time) could be the way to go.

Do you have an idea of how to fetch IP address for the currently authenticated user and use that info in the PermissionService later?