org.springframework.security.web.authentication.rememberme

Class PersistentTokenBasedRememberMeServices

java.lang.Object

org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices

All Implemented Interfaces:

InitializingBean, LogoutHandler, RememberMeServices

public class PersistentTokenBasedRememberMeServices
extends AbstractRememberMeServices

RememberMeServices implementation based on Barry Jaspan's Improved Persistent Login Cookie Best Practice. There is a slight modification to the described approach, in that the username is not stored as part of the cookie but obtained from the persistent store via an implementation of PersistentTokenRepository. The latter should place a unique constraint on the series identifier, so that it is impossible for the same identifier to be allocated to two different users.

User management such as changing passwords, removing users and setting user status should be combined with maintenance of the user's persistent tokens.

Note that while this class will use the date a token was created to check whether a presented cookie is older than the configured tokenValiditySeconds property and deny authentication in this case, it will not delete these tokens from storage. A suitable batch process should be run periodically to remove expired tokens from the database.

Since:

2.0

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_SERIES_LENGTH
static int	DEFAULT_TOKEN_LENGTH

Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S

Constructor Summary

Constructors

Constructor and Description
PersistentTokenBasedRememberMeServices() Deprecated. Use constructor injection
PersistentTokenBasedRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenRepository tokenRepository)

Method Summary

Methods

Modifier and Type	Method and Description
protected String	generateSeriesData()
protected String	generateTokenData()
void	logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication) Implementation of LogoutHandler.
protected void	onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Creates a new persistent login token with a new series number, stores the data in the persistent token repository and adds the corresponding cookie to the response.
protected UserDetails	processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Locates the presented cookie data in the token repository, using the series id.
void	setSeriesLength(int seriesLength)
void	setTokenLength(int tokenLength)
void	setTokenRepository(PersistentTokenRepository tokenRepository) Deprecated. Use constructor injection
void	setTokenValiditySeconds(int tokenValiditySeconds)

Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

afterPropertiesSet, autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieName, setKey, setParameter, setUserDetailsChecker, setUserDetailsService, setUseSecureCookie

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_SERIES_LENGTH

public static final int DEFAULT_SERIES_LENGTH

See Also:

Constant Field Values

DEFAULT_TOKEN_LENGTH

public static final int DEFAULT_TOKEN_LENGTH

See Also:

Constant Field Values

Constructor Detail

PersistentTokenBasedRememberMeServices

@Deprecated
public PersistentTokenBasedRememberMeServices()

Deprecated. Use constructor injection

PersistentTokenBasedRememberMeServices

public PersistentTokenBasedRememberMeServices(String key,
                                      UserDetailsService userDetailsService,
                                      PersistentTokenRepository tokenRepository)

Method Detail

processAutoLoginCookie

protected UserDetails processAutoLoginCookie(String[] cookieTokens,
                                 javax.servlet.http.HttpServletRequest request,
                                 javax.servlet.http.HttpServletResponse response)

Locates the presented cookie data in the token repository, using the series id. If the data compares successfully with that in the persistent store, a new token is generated and stored with the same series. The corresponding cookie value is set on the response.

Specified by:

processAutoLoginCookie in class AbstractRememberMeServices

Parameters:

cookieTokens - the series and token values

request - the request

response - the response, to allow the cookie to be modified if required.

Returns:

the UserDetails for the corresponding user account if the cookie was validated successfully.

Throws:

RememberMeAuthenticationException - if there is no stored token corresponding to the submitted cookie, or if the token in the persistent store has expired.

InvalidCookieException - if the cookie doesn't have two tokens as expected.

CookieTheftException - if a presented series value is found, but the stored token is different from the one presented.

onLoginSuccess

protected void onLoginSuccess(javax.servlet.http.HttpServletRequest request,
                  javax.servlet.http.HttpServletResponse response,
                  Authentication successfulAuthentication)

Creates a new persistent login token with a new series number, stores the data in the persistent token repository and adds the corresponding cookie to the response.

Specified by:

onLoginSuccess in class AbstractRememberMeServices

logout

public void logout(javax.servlet.http.HttpServletRequest request,
          javax.servlet.http.HttpServletResponse response,
          Authentication authentication)

Description copied from class: AbstractRememberMeServices

Implementation of LogoutHandler. Default behaviour is to call cancelCookie().

Specified by:

logout in interface LogoutHandler

Overrides:

logout in class AbstractRememberMeServices

Parameters:

request - the HTTP request

response - the HTTP response

authentication - the current principal details

generateSeriesData

protected String generateSeriesData()

generateTokenData

protected String generateTokenData()

setTokenRepository

@Deprecated
public void setTokenRepository(PersistentTokenRepository tokenRepository)

Deprecated. Use constructor injection

setSeriesLength

public void setSeriesLength(int seriesLength)

setTokenLength

public void setTokenLength(int tokenLength)

setTokenValiditySeconds

public void setTokenValiditySeconds(int tokenValiditySeconds)

Overrides:

setTokenValiditySeconds in class AbstractRememberMeServices