public abstract class AbstractRememberMeServices extends Object implements RememberMeServices, InitializingBean, LogoutHandler
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_PARAMETER |
protected org.apache.commons.logging.Log |
logger |
protected MessageSourceAccessor |
messages |
static String |
SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY |
static int |
TWO_WEEKS_S |
Modifier | Constructor and Description |
---|---|
protected |
AbstractRememberMeServices()
Deprecated.
Use constructor injection
|
protected |
AbstractRememberMeServices(String key,
UserDetailsService userDetailsService) |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
Authentication |
autoLogin(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Template implementation which locates the Spring Security cookie, decodes it into
a delimited array of tokens and submits it to subclasses for processing
via the processAutoLoginCookie method.
|
protected void |
cancelCookie(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.
|
protected Authentication |
createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
UserDetails user)
Creates the final Authentication object returned from the autoLogin method.
|
protected String[] |
decodeCookie(String cookieValue)
Decodes the cookie and splits it into a set of token strings using the ":" delimiter.
|
protected String |
encodeCookie(String[] cookieTokens)
Inverse operation of decodeCookie.
|
protected String |
extractRememberMeCookie(javax.servlet.http.HttpServletRequest request)
Locates the Spring Security remember me cookie in the request and returns its value.
|
protected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> |
getAuthenticationDetailsSource() |
protected String |
getCookieName() |
String |
getKey() |
String |
getParameter() |
protected int |
getTokenValiditySeconds() |
protected UserDetailsService |
getUserDetailsService() |
void |
loginFail(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called whenever an interactive authentication attempt was made, but the credentials supplied by the user
were missing or otherwise invalid.
|
void |
loginSuccess(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication successfulAuthentication)
Examines the incoming request and checks for the presence of the configured "remember me" parameter.
|
void |
logout(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication authentication)
Implementation of
LogoutHandler . |
protected void |
onLoginFail(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response) |
protected abstract void |
onLoginSuccess(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication successfulAuthentication)
Called from loginSuccess when a remember-me login has been requested.
|
protected abstract UserDetails |
processAutoLoginCookie(String[] cookieTokens,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called from autoLogin to process the submitted persistent login cookie.
|
protected boolean |
rememberMeRequested(javax.servlet.http.HttpServletRequest request,
String parameter)
Allows customization of whether a remember-me login has been requested.
|
void |
setAlwaysRemember(boolean alwaysRemember) |
void |
setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource) |
void |
setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) |
protected void |
setCookie(String[] tokens,
int maxAge,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Sets the cookie on the response.
|
void |
setCookieName(String cookieName) |
void |
setKey(String key)
Deprecated.
Use constructor injection
|
void |
setParameter(String parameter)
Sets the name of the parameter which should be checked for to see if a remember-me has been requested
during a login request.
|
void |
setTokenValiditySeconds(int tokenValiditySeconds) |
void |
setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
Sets the strategy to be used to validate the
UserDetails object obtained for
the user when processing a remember-me cookie to automatically log in a user. |
void |
setUserDetailsService(UserDetailsService userDetailsService)
Deprecated.
Use constructor injection
|
void |
setUseSecureCookie(boolean useSecureCookie)
Whether the cookie should be flagged as secure or not.
|
public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
public static final String DEFAULT_PARAMETER
public static final int TWO_WEEKS_S
protected final org.apache.commons.logging.Log logger
protected final MessageSourceAccessor messages
@Deprecated protected AbstractRememberMeServices()
protected AbstractRememberMeServices(String key, UserDetailsService userDetailsService)
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface InitializingBean
Exception
public final Authentication autoLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
The returned username is then used to load the UserDetails object for the user, which in turn is used to create a valid authentication token.
autoLogin
in interface RememberMeServices
request
- to look for a remember-me token withinresponse
- to change, cancel or modify the remember-me tokennull
if the request should not be authenticatedprotected String extractRememberMeCookie(javax.servlet.http.HttpServletRequest request)
request
- the submitted request which is to be authenticatedprotected Authentication createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, UserDetails user)
By default it will create a RememberMeAuthenticationToken instance.
request
- the original request. The configured AuthenticationDetailsSource will
use this to build the details property of the returned object.user
- the UserDetails loaded from the UserDetailsService. This will be
stored as the principal.protected String[] decodeCookie(String cookieValue) throws InvalidCookieException
cookieValue
- the value obtained from the submitted cookieInvalidCookieException
- if the cookie was not base64 encoded.protected String encodeCookie(String[] cookieTokens)
cookieTokens
- the tokens to be encoded.public final void loginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
RememberMeServices
HttpServletRequest
.loginFail
in interface RememberMeServices
request
- that contained an invalid authentication requestresponse
- to change, cancel or modify the remember-me tokenprotected void onLoginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
public final void loginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
loginSuccess
in interface RememberMeServices
request
- that contained the valid authentication requestresponse
- to change, cancel or modify the remember-me tokensuccessfulAuthentication
- representing the successfully authenticated principalprotected abstract void onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
protected boolean rememberMeRequested(javax.servlet.http.HttpServletRequest request, String parameter)
request
- the request submitted from an interactive login, which may include additional information
indicating that a persistent login is desired.parameter
- the configured remember-me parameter name.protected abstract UserDetails processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws RememberMeAuthenticationException, UsernameNotFoundException
cookieTokens
- the decoded and tokenized cookie valuerequest
- the requestresponse
- the response, to allow the cookie to be modified if required.RememberMeAuthenticationException
- if the cookie is invalid or the login is invalid for some
other reason.UsernameNotFoundException
- if the user account corresponding to the login cookie couldn't be found
(for example if the user has been removed from the system).protected void cancelCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void setCookie(String[] tokens, int maxAge, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
useSecureCookie
property to false
to override this. If you set it to true
, the cookie will always be flagged
as secure. If Servlet 3.0 is used, the cookie will be marked as HttpOnly.tokens
- the tokens which will be encoded to make the cookie value.maxAge
- the value passed to Cookie.setMaxAge(int)
request
- the requestresponse
- the response to add the cookie to.public void logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
LogoutHandler
. Default behaviour is to call cancelCookie()
.logout
in interface LogoutHandler
request
- the HTTP requestresponse
- the HTTP responseauthentication
- the current principal detailspublic void setCookieName(String cookieName)
protected String getCookieName()
public void setAlwaysRemember(boolean alwaysRemember)
public void setParameter(String parameter)
parameter
- the HTTP request parameterpublic String getParameter()
protected UserDetailsService getUserDetailsService()
@Deprecated public void setUserDetailsService(UserDetailsService userDetailsService)
@Deprecated public void setKey(String key)
public String getKey()
public void setTokenValiditySeconds(int tokenValiditySeconds)
protected int getTokenValiditySeconds()
public void setUseSecureCookie(boolean useSecureCookie)
By default the cookie will be secure if the request is secure. If you only want to use remember-me over
HTTPS (recommended) you should set this property to true
.
useSecureCookie
- set to true
to always user secure cookies, false
to disable their use.protected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> getAuthenticationDetailsSource()
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
UserDetails
object obtained for
the user when processing a remember-me cookie to automatically log in a user.userDetailsChecker
- the strategy which will be passed the user object to allow it to be rejected if account should not
be allowed to authenticate (if it is locked, for example). Defaults to a
AccountStatusUserDetailsChecker
instance.public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)