Package org.springframework.security.core.token

Class KeyBasedPersistenceTokenService

  • All Implemented Interfaces:
    org.springframework.beans.factory.InitializingBean, TokenService
    public class KeyBasedPersistenceTokenService
extends java.lang.Object
implements TokenService, org.springframework.beans.factory.InitializingBean
    Basic implementation of TokenService that is compatible with clusters and across machine restarts, without requiring database persistence.

    Keys are produced in the format:

    Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )

    In the above, creationTime, tokenKey and extendedInformation are equal to that stored in Token. The Sha512Hex includes the same payload, plus a serverSecret.

    The serverSecret varies every millisecond. It relies on two static server-side secrets. The first is a password, and the second is a server integer. Both of these must remain the same for any issued keys to subsequently be recognised. The applicable serverSecret in any millisecond is computed by password + ":" + (creationTime % serverInteger). This approach further obfuscates the actual server secret and renders attempts to compute the server secret more limited in usefulness (as any false tokens would be forced to have a creationTime equal to the computed hash). Recall that framework features depending on token services should reject tokens that are relatively old in any event.

    A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers. To this end, the use of SecureRandomFactoryBean is recommended to inject the property.

    This implementation uses UTF-8 encoding internally for string manipulation.

    • Constructor Detail

      • KeyBasedPersistenceTokenService

        public KeyBasedPersistenceTokenService()

    • Method Detail

      • allocateToken

        public Token allocateToken​(java.lang.String extendedInformation)
        Description copied from interface: TokenService
        Forces the allocation of a new Token.
        Specified by:
        allocateToken in interface TokenService
        Parameters:
        extendedInformation - the extended information desired in the token (cannot be null, but can be empty)
        Returns:
        a new token that has not been issued previously, and is guaranteed to be recognised by this implementation's TokenService.verifyToken(String) at any future time.

      • verifyToken

        public Token verifyToken​(java.lang.String key)
        Description copied from interface: TokenService
        Permits verification the Token.getKey() was issued by this TokenService and reconstructs the corresponding Token.
        Specified by:
        verifyToken in interface TokenService
        Parameters:
        key - as obtained from Token.getKey() and created by this implementation
        Returns:
        the token, or null if the token was not issued by this TokenService

      • setServerSecret

        public void setServerSecret​(java.lang.String serverSecret)
        Parameters:
        serverSecret - the new secret, which can contain a ":" if desired (never being sent to the client)

      • setSecureRandom

        public void setSecureRandom​(java.security.SecureRandom secureRandom)

      • setPseudoRandomNumberBytes

        public void setPseudoRandomNumberBytes​(int pseudoRandomNumberBytes)
        Parameters:
        pseudoRandomNumberBytes - changes the number of bytes issued (must be >= 0; defaults to 256)

      • setServerInteger

        public void setServerInteger​(java.lang.Integer serverInteger)

      • afterPropertiesSet

        public void afterPropertiesSet()
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean