AbstractRememberMeServices (Spring Security 3.0.8.RELEASE API)

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.springframework.security.web.authentication.rememberme
Class AbstractRememberMeServices

java.lang.Object
  org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

All Implemented Interfaces:: InitializingBean, LogoutHandler, RememberMeServices

Direct Known Subclasses:: PersistentTokenBasedRememberMeServices, TokenBasedRememberMeServices

public abstract class AbstractRememberMeServices
extends Object
implements RememberMeServices, InitializingBean, LogoutHandler
extends Object
implements RememberMeServices, InitializingBean, LogoutHandler

Base class for RememberMeServices implementations.

Since:: 2.0

Field Summary
`static String`	`DEFAULT_PARAMETER`
`protected org.apache.commons.logging.Log`	`logger`
`protected MessageSourceAccessor`	`messages`
`static String`	`SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY`
`static int`	`TWO_WEEKS_S`

Constructor Summary
`AbstractRememberMeServices()`

Method Summary
`void`	`afterPropertiesSet()`
`Authentication`	`autoLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Template implementation which locates the Spring Security cookie, decodes it into a delimited array of tokens and submits it to subclasses for processing via the `processAutoLoginCookie` method.
`protected void`	`cancelCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.
`protected Authentication`	`createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, UserDetails user)` Creates the final `Authentication` object returned from the `autoLogin` method.
`protected String[]`	`decodeCookie(String cookieValue)` Decodes the cookie and splits it into a set of token strings using the ":" delimiter.
`protected String`	`encodeCookie(String[] cookieTokens)` Inverse operation of decodeCookie.
`protected String`	`extractRememberMeCookie(javax.servlet.http.HttpServletRequest request)` Locates the Spring Security remember me cookie in the request and returns its value.
`protected AuthenticationDetailsSource`	`getAuthenticationDetailsSource()`
`protected String`	`getCookieName()`
`String`	`getKey()`
`String`	`getParameter()`
`protected int`	`getTokenValiditySeconds()`
`protected UserDetailsService`	`getUserDetailsService()`
`void`	`loginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid.
`void`	`loginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)` Examines the incoming request and checks for the presence of the configured "remember me" parameter.
`void`	`logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)` Implementation of `LogoutHandler`.
`protected void`	`onLoginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`
`protected abstract void`	`onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)` Called from loginSuccess when a remember-me login has been requested.
`protected abstract UserDetails`	`processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Called from autoLogin to process the submitted persistent login cookie.
`protected boolean`	`rememberMeRequested(javax.servlet.http.HttpServletRequest request, String parameter)` Allows customization of whether a remember-me login has been requested.
`void`	`setAlwaysRemember(boolean alwaysRemember)`
`void`	`setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)`
`protected void`	`setCookie(String[] tokens, int maxAge, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Sets the cookie on the response
`void`	`setCookieName(String cookieName)`
`void`	`setKey(String key)`
`void`	`setParameter(String parameter)` Sets the name of the parameter which should be checked for to see if a remember-me has been requested during a login request.
`void`	`setTokenValiditySeconds(int tokenValiditySeconds)`
`void`	`setUserDetailsService(UserDetailsService userDetailsService)`
`void`	`setUseSecureCookie(boolean useSecureCookie)`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY

public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY

See Also:: Constant Field Values

DEFAULT_PARAMETER

public static final String DEFAULT_PARAMETER

See Also:: Constant Field Values

TWO_WEEKS_S

public static final int TWO_WEEKS_S

See Also:: Constant Field Values

logger

protected final org.apache.commons.logging.Log logger

messages

protected MessageSourceAccessor messages

Constructor Detail

AbstractRememberMeServices

public AbstractRememberMeServices()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Specified by:: afterPropertiesSet in interface InitializingBean

Throws:: Exception

autoLogin

public final Authentication autoLogin(javax.servlet.http.HttpServletRequest request,
                                      javax.servlet.http.HttpServletResponse response)

Template implementation which locates the Spring Security cookie, decodes it into a delimited array of tokens and submits it to subclasses for processing via the processAutoLoginCookie method.

The returned username is then used to load the UserDetails object for the user, which in turn is used to create a valid authentication token.

Specified by:: autoLogin in interface RememberMeServices

Parameters:: request - to look for a remember-me token within; response - to change, cancel or modify the remember-me token
Returns:: a valid authentication object, or null if the request should not be authenticated

extractRememberMeCookie

protected String extractRememberMeCookie(javax.servlet.http.HttpServletRequest request)

Locates the Spring Security remember me cookie in the request and returns its value. The cookie is searched for by name and also by matching the context path to the cookie path.

Parameters:: request - the submitted request which is to be authenticated
Returns:: the cookie value (if present), null otherwise.

createSuccessfulAuthentication

protected Authentication createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                                                        UserDetails user)

Creates the final Authentication object returned from the autoLogin method.

By default it will create a RememberMeAuthenticationToken instance.

Parameters:: request - the original request. The configured AuthenticationDetailsSource will use this to build the details property of the returned object.; user - the UserDetails loaded from the UserDetailsService. This will be stored as the principal.
Returns:: the Authentication for the remember-me authenticated user

decodeCookie

protected String[] decodeCookie(String cookieValue)
                         throws InvalidCookieException

Decodes the cookie and splits it into a set of token strings using the ":" delimiter.

Parameters:: cookieValue - the value obtained from the submitted cookie
Returns:: the array of tokens.
Throws:: InvalidCookieException - if the cookie was not base64 encoded.

encodeCookie

protected String encodeCookie(String[] cookieTokens)

Inverse operation of decodeCookie.

Parameters:: cookieTokens - the tokens to be encoded.
Returns:: base64 encoding of the tokens concatenated with the ":" delimiter.

loginFail

public final void loginFail(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)

Description copied from interface: RememberMeServices

Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. Implementations should invalidate any and all remember-me tokens indicated in the HttpServletRequest.

Specified by:: loginFail in interface RememberMeServices

Parameters:: request - that contained an invalid authentication request; response - to change, cancel or modify the remember-me token

onLoginFail

protected void onLoginFail(javax.servlet.http.HttpServletRequest request,
                           javax.servlet.http.HttpServletResponse response)

loginSuccess

public final void loginSuccess(javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpServletResponse response,
                               Authentication successfulAuthentication)

Examines the incoming request and checks for the presence of the configured "remember me" parameter. If it's present, or if alwaysRemember is set to true, calls onLoginSucces.

Specified by:: loginSuccess in interface RememberMeServices

Parameters:: request - that contained the valid authentication request; response - to change, cancel or modify the remember-me token; successfulAuthentication - representing the successfully authenticated principal

onLoginSuccess

protected abstract void onLoginSuccess(javax.servlet.http.HttpServletRequest request,
                                       javax.servlet.http.HttpServletResponse response,
                                       Authentication successfulAuthentication)

Called from loginSuccess when a remember-me login has been requested. Typically implemented by subclasses to set a remember-me cookie and potentially store a record of it if the implementation requires this.

rememberMeRequested

protected boolean rememberMeRequested(javax.servlet.http.HttpServletRequest request,
                                      String parameter)

Allows customization of whether a remember-me login has been requested. The default is to return true if alwaysRemember is set or the configured parameter name has been included in the request and is set to the value "true".

Parameters:: request - the request submitted from an interactive login, which may include additional information indicating that a persistent login is desired.; parameter - the configured remember-me parameter name.
Returns:: true if the request includes information indicating that a persistent login has been requested.

processAutoLoginCookie

protected abstract UserDetails processAutoLoginCookie(String[] cookieTokens,
                                                      javax.servlet.http.HttpServletRequest request,
                                                      javax.servlet.http.HttpServletResponse response)
                                               throws RememberMeAuthenticationException,
                                                      UsernameNotFoundException

Called from autoLogin to process the submitted persistent login cookie. Subclasses should validate the cookie and perform any additional management required.

Parameters:: cookieTokens - the decoded and tokenized cookie value; request - the request; response - the response, to allow the cookie to be modified if required.
Returns:: the UserDetails for the corresponding user account if the cookie was validated successfully.
Throws:: RememberMeAuthenticationException - if the cookie is invalid or the login is invalid for some other reason.; UsernameNotFoundException - if the user account corresponding to the login cookie couldn't be found (for example if the user has been removed from the system).

cancelCookie

protected void cancelCookie(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)

Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.

Parameters:: request -; response -

setCookie

protected void setCookie(String[] tokens,
                         int maxAge,
                         javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)

Sets the cookie on the response

Parameters:: tokens - the tokens which will be encoded to make the cookie value.; maxAge - the value passed to Cookie.setMaxAge(int); request - the request; response - the response to add the cookie to.

logout

public void logout(javax.servlet.http.HttpServletRequest request,
                   javax.servlet.http.HttpServletResponse response,
                   Authentication authentication)

Implementation of LogoutHandler. Default behaviour is to call cancelCookie().

Specified by:: logout in interface LogoutHandler

Parameters:: request - the HTTP request; response - the HTTP response; authentication - the current principal details

setCookieName

public void setCookieName(String cookieName)

getCookieName

protected String getCookieName()

setAlwaysRemember

public void setAlwaysRemember(boolean alwaysRemember)

setParameter

public void setParameter(String parameter)

Sets the name of the parameter which should be checked for to see if a remember-me has been requested during a login request. This should be the same name you assign to the checkbox in your login form.

Parameters:: parameter - the HTTP request parameter

getParameter

public String getParameter()

getUserDetailsService

protected UserDetailsService getUserDetailsService()

setUserDetailsService

public void setUserDetailsService(UserDetailsService userDetailsService)

setKey

public void setKey(String key)

getKey

public String getKey()

setTokenValiditySeconds

public void setTokenValiditySeconds(int tokenValiditySeconds)

getTokenValiditySeconds

protected int getTokenValiditySeconds()

setUseSecureCookie

public void setUseSecureCookie(boolean useSecureCookie)

getAuthenticationDetailsSource

protected AuthenticationDetailsSource getAuthenticationDetailsSource()

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)