Spring Security Framework

Class TokenBasedRememberMeServices

  extended by org.springframework.security.ui.rememberme.AbstractRememberMeServices
      extended by org.springframework.security.ui.rememberme.TokenBasedRememberMeServices
All Implemented Interfaces:
InitializingBean, LogoutHandler, RememberMeServices

public class TokenBasedRememberMeServices
extends AbstractRememberMeServices

Identifies previously remembered users by a Base-64 encoded cookie.

This implementation does not rely on an external database, so is attractive for simple applications. The cookie will be valid for a specific period from the date of the last AbstractRememberMeServices.loginSuccess(HttpServletRequest, HttpServletResponse, Authentication). As per the interface contract, this method will only be called when the principal completes a successful interactive authentication. As such the time period commences from the last authentication attempt where they furnished credentials - not the time period they last logged in via remember-me. The implementation will only send a remember-me token if the parameter defined by AbstractRememberMeServices.setParameter(String) is present.

An UserDetailsService is required by this implementation, so that it can construct a valid Authentication from the returned UserDetails. This is also necessary so that the user's password is available and can be checked as part of the encoded cookie.

The cookie encoded by this implementation adopts the following form:

 username + ":" + expiryTime + ":" + Md5Hex(username + ":" + expiryTime + ":" + password + ":" + key)

As such, if the user changes their password, any remember-me token will be invalidated. Equally, the system administrator may invalidate every remember-me token on issue by changing the key. This provides some reasonable approaches to recovering from a remember-me token being left on a public machine (eg kiosk system, Internet cafe etc). Most importantly, at no time is the user's password ever sent to the user agent, providing an important security safeguard. Unfortunately the username is necessary in this implementation (as we do not want to rely on a database for remember-me services) and as such high security applications should be aware of this occasionally undesired disclosure of a valid username.

This is a basic remember-me implementation which is suitable for many applications. However, we recommend a database-based implementation if you require a more secure remember-me approach (see PersistentTokenBasedRememberMeServices).

By default the tokens will be valid for 14 days from the last successful authentication attempt. This can be changed using AbstractRememberMeServices.setTokenValiditySeconds(int).

Ben Alex

Field Summary
Fields inherited from class org.springframework.security.ui.rememberme.AbstractRememberMeServices
Constructor Summary
Method Summary
protected  int calculateLoginLifetime(HttpServletRequest request, Authentication authentication)
          Calculates the validity period in seconds for a newly generated remember-me login.
protected  boolean isTokenExpired(long tokenExpiryTime)
protected  String makeTokenSignature(long tokenExpiryTime, String username, String password)
          Calculates the digital signature to be put in the cookie.
 void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication)
          Called from loginSuccess when a remember-me login has been requested.
 UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response)
          Called from autoLogin to process the submitted persistent login cookie.
protected  String retrievePassword(Authentication authentication)
protected  String retrieveUserName(Authentication authentication)
Methods inherited from class org.springframework.security.ui.rememberme.AbstractRememberMeServices
afterPropertiesSet, autoLogin, cancelCookie, decodeCookie, encodeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, logout, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setCookie, setCookieName, setKey, setParameter, setTokenValiditySeconds, setUserDetailsService
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail


public TokenBasedRememberMeServices()
Method Detail


public UserDetails processAutoLoginCookie(String[] cookieTokens,
                                          HttpServletRequest request,
                                          HttpServletResponse response)
Description copied from class: AbstractRememberMeServices
Called from autoLogin to process the submitted persistent login cookie. Subclasses should validate the cookie and perform any additional management required.

Specified by:
processAutoLoginCookie in class AbstractRememberMeServices
cookieTokens - the decoded and tokenized cookie value
request - the request
response - the response, to allow the cookie to be modified if required.
the UserDetails for the corresponding user account if the cookie was validated successfully.


protected String makeTokenSignature(long tokenExpiryTime,
                                    String username,
                                    String password)
Calculates the digital signature to be put in the cookie. Default value is MD5 ("username:tokenExpiryTime:password:key")


protected boolean isTokenExpired(long tokenExpiryTime)


public void onLoginSuccess(HttpServletRequest request,
                           HttpServletResponse response,
                           Authentication successfulAuthentication)
Description copied from class: AbstractRememberMeServices
Called from loginSuccess when a remember-me login has been requested. Typically implemented by subclasses to set a remember-me cookie and potentially store a record of it if the implementation requires this.

Specified by:
onLoginSuccess in class AbstractRememberMeServices


protected int calculateLoginLifetime(HttpServletRequest request,
                                     Authentication authentication)
Calculates the validity period in seconds for a newly generated remember-me login. After this period (from the current time) the remember-me login will be considered expired. This method allows customization based on request parameters supplied with the login or information in the Authentication object. The default value is just the token validity period property, tokenValiditySeconds.

The returned value will be used to work out the expiry time of the token and will also be used to set the maxAge property of the cookie.

See SEC-485.

request - the request passed to onLoginSuccess
authentication - the successful authentication object.
the lifetime in seconds.


protected String retrieveUserName(Authentication authentication)


protected String retrievePassword(Authentication authentication)

Spring Security Framework

Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.