Class KeyBasedPersistenceTokenService
- java.lang.Object
-
- org.springframework.security.core.token.KeyBasedPersistenceTokenService
-
- All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean
,TokenService
public class KeyBasedPersistenceTokenService extends java.lang.Object implements TokenService, org.springframework.beans.factory.InitializingBean
Basic implementation ofTokenService
that is compatible with clusters and across machine restarts, without requiring database persistence.Keys are produced in the format:
Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )
In the above,
creationTime
,tokenKey
andextendedInformation
are equal to that stored inToken
. TheSha512Hex
includes the same payload, plus aserverSecret
.The
serverSecret
varies every millisecond. It relies on two static server-side secrets. The first is a password, and the second is a server integer. Both of these must remain the same for any issued keys to subsequently be recognised. The applicableserverSecret
in any millisecond is computed bypassword
+ ":" + (creationTime
%serverInteger
). This approach further obfuscates the actual server secret and renders attempts to compute the server secret more limited in usefulness (as any false tokens would be forced to have acreationTime
equal to the computed hash). Recall that framework features depending on token services should reject tokens that are relatively old in any event.A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers. To this end, the use of
SecureRandomFactoryBean
is recommended to inject the property.This implementation uses UTF-8 encoding internally for string manipulation.
-
-
Constructor Summary
Constructors Constructor Description KeyBasedPersistenceTokenService()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
Token
allocateToken(java.lang.String extendedInformation)
Forces the allocation of a newToken
.void
setPseudoRandomNumberBytes(int pseudoRandomNumberBytes)
void
setSecureRandom(java.security.SecureRandom secureRandom)
void
setServerInteger(java.lang.Integer serverInteger)
void
setServerSecret(java.lang.String serverSecret)
Token
verifyToken(java.lang.String key)
Permits verification theToken.getKey()
was issued by thisTokenService
and reconstructs the correspondingToken
.
-
-
-
Method Detail
-
allocateToken
public Token allocateToken(java.lang.String extendedInformation)
Description copied from interface:TokenService
Forces the allocation of a newToken
.- Specified by:
allocateToken
in interfaceTokenService
- Parameters:
extendedInformation
- the extended information desired in the token (cannot benull
, but can be empty)- Returns:
- a new token that has not been issued previously, and is guaranteed to be
recognised by this implementation's
TokenService.verifyToken(String)
at any future time.
-
verifyToken
public Token verifyToken(java.lang.String key)
Description copied from interface:TokenService
Permits verification theToken.getKey()
was issued by thisTokenService
and reconstructs the correspondingToken
.- Specified by:
verifyToken
in interfaceTokenService
- Parameters:
key
- as obtained fromToken.getKey()
and created by this implementation- Returns:
- the token, or
null
if the token was not issued by thisTokenService
-
setServerSecret
public void setServerSecret(java.lang.String serverSecret)
- Parameters:
serverSecret
- the new secret, which can contain a ":" if desired (never being sent to the client)
-
setSecureRandom
public void setSecureRandom(java.security.SecureRandom secureRandom)
-
setPseudoRandomNumberBytes
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes)
- Parameters:
pseudoRandomNumberBytes
- changes the number of bytes issued (must be >= 0; defaults to 256)
-
setServerInteger
public void setServerInteger(java.lang.Integer serverInteger)
-
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
-
-