public abstract class AbstractRememberMeServices extends Object implements RememberMeServices, InitializingBean, LogoutHandler
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_PARAMETER |
protected org.apache.commons.logging.Log |
logger |
protected MessageSourceAccessor |
messages |
static String |
SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY |
static int |
TWO_WEEKS_S |
Modifier | Constructor and Description |
---|---|
protected |
AbstractRememberMeServices(String key,
UserDetailsService userDetailsService) |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
Authentication |
autoLogin(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Template implementation which locates the Spring Security cookie, decodes it into a
delimited array of tokens and submits it to subclasses for processing via the
processAutoLoginCookie method.
|
protected void |
cancelCookie(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent
logins.
|
protected Authentication |
createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
UserDetails user)
Creates the final Authentication object returned from the
autoLogin method.
|
protected String[] |
decodeCookie(String cookieValue)
Decodes the cookie and splits it into a set of token strings using the ":"
delimiter.
|
protected String |
encodeCookie(String[] cookieTokens)
Inverse operation of decodeCookie.
|
protected String |
extractRememberMeCookie(javax.servlet.http.HttpServletRequest request)
Locates the Spring Security remember me cookie in the request and returns its
value.
|
protected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> |
getAuthenticationDetailsSource() |
protected String |
getCookieName() |
String |
getKey() |
String |
getParameter() |
protected int |
getTokenValiditySeconds() |
protected UserDetailsService |
getUserDetailsService() |
void |
loginFail(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called whenever an interactive authentication attempt was made, but the credentials
supplied by the user were missing or otherwise invalid.
|
void |
loginSuccess(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication successfulAuthentication)
Called whenever an interactive authentication attempt is successful.
|
void |
logout(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication authentication)
Implementation of
LogoutHandler . |
protected void |
onLoginFail(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response) |
protected abstract void |
onLoginSuccess(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
Authentication successfulAuthentication)
Called from loginSuccess when a remember-me login has been requested.
|
protected abstract UserDetails |
processAutoLoginCookie(String[] cookieTokens,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called from autoLogin to process the submitted persistent login cookie.
|
protected boolean |
rememberMeRequested(javax.servlet.http.HttpServletRequest request,
String parameter)
Allows customization of whether a remember-me login has been requested.
|
void |
setAlwaysRemember(boolean alwaysRemember) |
void |
setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource) |
void |
setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) |
protected void |
setCookie(String[] tokens,
int maxAge,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Sets the cookie on the response.
|
void |
setCookieName(String cookieName) |
void |
setParameter(String parameter)
Sets the name of the parameter which should be checked for to see if a remember-me
has been requested during a login request.
|
void |
setTokenValiditySeconds(int tokenValiditySeconds) |
void |
setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
Sets the strategy to be used to validate the
UserDetails object obtained
for the user when processing a remember-me cookie to automatically log in a user. |
void |
setUseSecureCookie(boolean useSecureCookie)
Whether the cookie should be flagged as secure or not.
|
public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
public static final String DEFAULT_PARAMETER
public static final int TWO_WEEKS_S
protected final org.apache.commons.logging.Log logger
protected final MessageSourceAccessor messages
protected AbstractRememberMeServices(String key, UserDetailsService userDetailsService)
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface InitializingBean
Exception
public final Authentication autoLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
The returned username is then used to load the UserDetails object for the user, which in turn is used to create a valid authentication token.
autoLogin
in interface RememberMeServices
request
- to look for a remember-me token withinresponse
- to change, cancel or modify the remember-me tokennull
if the request should
not be authenticatedprotected String extractRememberMeCookie(javax.servlet.http.HttpServletRequest request)
request
- the submitted request which is to be authenticatedprotected Authentication createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, UserDetails user)
By default it will create a RememberMeAuthenticationToken instance.
request
- the original request. The configured
AuthenticationDetailsSource will use this to build the details property of
the returned object.user
- the UserDetails loaded from the UserDetailsService.
This will be stored as the principal.protected String[] decodeCookie(String cookieValue) throws InvalidCookieException
cookieValue
- the value obtained from the submitted cookieInvalidCookieException
- if the cookie was not base64 encoded.protected String encodeCookie(String[] cookieTokens)
cookieTokens
- the tokens to be encoded.public final void loginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
RememberMeServices
HttpServletRequest
.loginFail
in interface RememberMeServices
request
- that contained an invalid authentication requestresponse
- to change, cancel or modify the remember-me tokenprotected void onLoginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
public final void loginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
HttpServletResponse
, although this is not recommended. Instead,
implementations should typically look for a request parameter that indicates the
browser has presented an explicit request for authentication to be remembered, such
as the presence of a HTTP POST parameter.
Examines the incoming request and checks for the presence of the configured "remember me" parameter. If it's present, or if alwaysRemember is set to true, calls onLoginSucces.
loginSuccess
in interface RememberMeServices
request
- that contained the valid authentication requestresponse
- to change, cancel or modify the remember-me tokensuccessfulAuthentication
- representing the successfully authenticated
principalprotected abstract void onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
protected boolean rememberMeRequested(javax.servlet.http.HttpServletRequest request, String parameter)
request
- the request submitted from an interactive login, which may include
additional information indicating that a persistent login is desired.parameter
- the configured remember-me parameter name.protected abstract UserDetails processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws RememberMeAuthenticationException, UsernameNotFoundException
cookieTokens
- the decoded and tokenized cookie valuerequest
- the requestresponse
- the response, to allow the cookie to be modified if required.RememberMeAuthenticationException
- if the cookie is invalid or the login is
invalid for some other reason.UsernameNotFoundException
- if the user account corresponding to the login
cookie couldn't be found (for example if the user has been removed from the
system).protected void cancelCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void setCookie(String[] tokens, int maxAge, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
useSecureCookie
property to false
to override this. If you set
it to true
, the cookie will always be flagged as secure. If Servlet 3.0 is
used, the cookie will be marked as HttpOnly.tokens
- the tokens which will be encoded to make the cookie value.maxAge
- the value passed to Cookie.setMaxAge(int)
request
- the requestresponse
- the response to add the cookie to.public void logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
LogoutHandler
. Default behaviour is to call
cancelCookie()
.logout
in interface LogoutHandler
request
- the HTTP requestresponse
- the HTTP responseauthentication
- the current principal detailspublic void setCookieName(String cookieName)
protected String getCookieName()
public void setAlwaysRemember(boolean alwaysRemember)
public void setParameter(String parameter)
parameter
- the HTTP request parameterpublic String getParameter()
protected UserDetailsService getUserDetailsService()
public String getKey()
public void setTokenValiditySeconds(int tokenValiditySeconds)
protected int getTokenValiditySeconds()
public void setUseSecureCookie(boolean useSecureCookie)
By default the cookie will be secure if the request is secure. If you only want to
use remember-me over HTTPS (recommended) you should set this property to
true
.
useSecureCookie
- set to true
to always user secure cookies,
false
to disable their use.protected AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> getAuthenticationDetailsSource()
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
UserDetails
object obtained
for the user when processing a remember-me cookie to automatically log in a user.userDetailsChecker
- the strategy which will be passed the user object to
allow it to be rejected if account should not be allowed to authenticate (if it is
locked, for example). Defaults to a AccountStatusUserDetailsChecker
instance.public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)