Class PersistentTokenBasedRememberMeServices
- java.lang.Object
-
- org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
- org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
-
- All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean
,LogoutHandler
,RememberMeServices
public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
RememberMeServices
implementation based on Barry Jaspan's Improved Persistent Login Cookie Best Practice. There is a slight modification to the described approach, in that the username is not stored as part of the cookie but obtained from the persistent store via an implementation ofPersistentTokenRepository
. The latter should place a unique constraint on the series identifier, so that it is impossible for the same identifier to be allocated to two different users.User management such as changing passwords, removing users and setting user status should be combined with maintenance of the user's persistent tokens.
Note that while this class will use the date a token was created to check whether a presented cookie is older than the configured tokenValiditySeconds property and deny authentication in this case, it will not delete these tokens from storage. A suitable batch process should be run periodically to remove expired tokens from the database.
- Since:
- 2.0
-
-
Field Summary
Fields Modifier and Type Field Description static int
DEFAULT_SERIES_LENGTH
static int
DEFAULT_TOKEN_LENGTH
-
Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S
-
-
Constructor Summary
Constructors Constructor Description PersistentTokenBasedRememberMeServices(java.lang.String key, UserDetailsService userDetailsService, PersistentTokenRepository tokenRepository)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.lang.String
generateSeriesData()
protected java.lang.String
generateTokenData()
void
logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
Implementation ofLogoutHandler
.protected void
onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
Creates a new persistent login token with a new series number, stores the data in the persistent token repository and adds the corresponding cookie to the response.protected UserDetails
processAutoLoginCookie(java.lang.String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Locates the presented cookie data in the token repository, using the series id.void
setSeriesLength(int seriesLength)
void
setTokenLength(int tokenLength)
void
setTokenValiditySeconds(int tokenValiditySeconds)
-
Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
afterPropertiesSet, autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setParameter, setUserDetailsChecker, setUseSecureCookie
-
-
-
-
Field Detail
-
DEFAULT_SERIES_LENGTH
public static final int DEFAULT_SERIES_LENGTH
- See Also:
- Constant Field Values
-
DEFAULT_TOKEN_LENGTH
public static final int DEFAULT_TOKEN_LENGTH
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
PersistentTokenBasedRememberMeServices
public PersistentTokenBasedRememberMeServices(java.lang.String key, UserDetailsService userDetailsService, PersistentTokenRepository tokenRepository)
-
-
Method Detail
-
processAutoLoginCookie
protected UserDetails processAutoLoginCookie(java.lang.String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Locates the presented cookie data in the token repository, using the series id. If the data compares successfully with that in the persistent store, a new token is generated and stored with the same series. The corresponding cookie value is set on the response.- Specified by:
processAutoLoginCookie
in classAbstractRememberMeServices
- Parameters:
cookieTokens
- the series and token valuesrequest
- the requestresponse
- the response, to allow the cookie to be modified if required.- Returns:
- the UserDetails for the corresponding user account if the cookie was validated successfully.
- Throws:
RememberMeAuthenticationException
- if there is no stored token corresponding to the submitted cookie, or if the token in the persistent store has expired.InvalidCookieException
- if the cookie doesn't have two tokens as expected.CookieTheftException
- if a presented series value is found, but the stored token is different from the one presented.
-
onLoginSuccess
protected void onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
Creates a new persistent login token with a new series number, stores the data in the persistent token repository and adds the corresponding cookie to the response.- Specified by:
onLoginSuccess
in classAbstractRememberMeServices
-
logout
public void logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
Description copied from class:AbstractRememberMeServices
Implementation ofLogoutHandler
. Default behaviour is to callcancelCookie()
.- Specified by:
logout
in interfaceLogoutHandler
- Overrides:
logout
in classAbstractRememberMeServices
- Parameters:
request
- the HTTP requestresponse
- the HTTP responseauthentication
- the current principal details
-
generateSeriesData
protected java.lang.String generateSeriesData()
-
generateTokenData
protected java.lang.String generateTokenData()
-
setSeriesLength
public void setSeriesLength(int seriesLength)
-
setTokenLength
public void setTokenLength(int tokenLength)
-
setTokenValiditySeconds
public void setTokenValiditySeconds(int tokenValiditySeconds)
- Overrides:
setTokenValiditySeconds
in classAbstractRememberMeServices
-
-