Spring Security Framework

org.springframework.security.token
Class KeyBasedPersistenceTokenService

java.lang.Object
  extended by org.springframework.security.token.KeyBasedPersistenceTokenService
All Implemented Interfaces:
InitializingBean, TokenService

public class KeyBasedPersistenceTokenService
extends Object
implements TokenService, InitializingBean

Basic implementation of TokenService that is compatible with clusters and across machine restarts, without requiring database persistence.

Keys are produced in the format:

Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )

In the above, creationTime, tokenKey and extendedInformation are equal to that stored in Token. The Sha512Hex includes the same payload, plus a serverSecret.

The serverSecret varies every millisecond. It relies on two static server-side secrets. The first is a password, and the second is a server integer. Both of these must remain the same for any issued keys to subsequently be recognised. The applicable serverSecret in any millisecond is computed by password + ":" + (creationTime % serverInteger). This approach further obfuscates the actual server secret and renders attempts to compute the server secret more limited in usefulness (as any false tokens would be forced to have a creationTime equal to the computed hash). Recall that framework features depending on token services should reject tokens that are relatively old in any event.

A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers. To this end, the use of SecureRandomFactoryBean is recommended to inject the property.

This implementation uses UTF-8 encoding internally for string manipulation.

Author:
Ben Alex

Constructor Summary
KeyBasedPersistenceTokenService()
           
 
Method Summary
 void afterPropertiesSet()
           
 Token allocateToken(String extendedInformation)
          Forces the allocation of a new Token.
 void setPseudoRandomNumberBits(int pseudoRandomNumberBits)
           
 void setSecureRandom(SecureRandom secureRandom)
           
 void setServerInteger(Integer serverInteger)
           
 void setServerSecret(String serverSecret)
           
 Token verifyToken(String key)
          Permits verification the <Token.getKey() was issued by this TokenService and reconstructs the corresponding Token.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

KeyBasedPersistenceTokenService

public KeyBasedPersistenceTokenService()
Method Detail

allocateToken

public Token allocateToken(String extendedInformation)
Description copied from interface: TokenService
Forces the allocation of a new Token.

Specified by:
allocateToken in interface TokenService
Returns:
a new token that has not been issued previously, and is guaranteed to be recognised by this implementation's TokenService.verifyToken(String) at any future time.

verifyToken

public Token verifyToken(String key)
Description copied from interface: TokenService
Permits verification the <Token.getKey() was issued by this TokenService and reconstructs the corresponding Token.

Specified by:
verifyToken in interface TokenService
Parameters:
key - as obtained from Token.getKey() and created by this implementation
Returns:
the token, or null if the token was not issued by this TokenService

setServerSecret

public void setServerSecret(String serverSecret)
Parameters:
serverSecret - the new secret, which can contain a ":" if desired (never being sent to the client)

setSecureRandom

public void setSecureRandom(SecureRandom secureRandom)

setPseudoRandomNumberBits

public void setPseudoRandomNumberBits(int pseudoRandomNumberBits)
Parameters:
pseudoRandomNumberBits - changes the number of bits issued (must be >= 0; defaults to 256)

setServerInteger

public void setServerInteger(Integer serverInteger)

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception
Specified by:
afterPropertiesSet in interface InitializingBean
Throws:
Exception

Spring Security Framework

Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.