Class KeyBasedPersistenceTokenService
- All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean
,TokenService
TokenService
that is compatible with clusters and
across machine restarts, without requiring database persistence.
Keys are produced in the format:
Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )
In the above, creationTime
, tokenKey
and
extendedInformation
are equal to that stored in Token
. The
Sha512Hex
includes the same payload, plus a serverSecret
.
The serverSecret
varies every millisecond. It relies on two static
server-side secrets. The first is a password, and the second is a server integer. Both
of these must remain the same for any issued keys to subsequently be recognised. The
applicable serverSecret
in any millisecond is computed by
password
+ ":" + (creationTime
% serverInteger
).
This approach further obfuscates the actual server secret and renders attempts to
compute the server secret more limited in usefulness (as any false tokens would be
forced to have a creationTime
equal to the computed hash). Recall that
framework features depending on token services should reject tokens that are relatively
old in any event.
A further consideration of this class is the requirement for cryptographically strong
pseudo-random numbers. To this end, the use of SecureRandomFactoryBean
is
recommended to inject the property.
This implementation uses UTF-8 encoding internally for string manipulation.
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
allocateToken
(String extendedInformation) Forces the allocation of a newToken
.void
setPseudoRandomNumberBytes
(int pseudoRandomNumberBytes) void
setSecureRandom
(SecureRandom secureRandom) void
setServerInteger
(Integer serverInteger) void
setServerSecret
(String serverSecret) verifyToken
(String key) Permits verification theToken.getKey()
was issued by thisTokenService
and reconstructs the correspondingToken
.
-
Constructor Details
-
KeyBasedPersistenceTokenService
public KeyBasedPersistenceTokenService()
-
-
Method Details
-
allocateToken
Description copied from interface:TokenService
Forces the allocation of a newToken
.- Specified by:
allocateToken
in interfaceTokenService
- Parameters:
extendedInformation
- the extended information desired in the token (cannot benull
, but can be empty)- Returns:
- a new token that has not been issued previously, and is guaranteed to be
recognised by this implementation's
TokenService.verifyToken(String)
at any future time.
-
verifyToken
Description copied from interface:TokenService
Permits verification theToken.getKey()
was issued by thisTokenService
and reconstructs the correspondingToken
.- Specified by:
verifyToken
in interfaceTokenService
- Parameters:
key
- as obtained fromToken.getKey()
and created by this implementation- Returns:
- the token, or
null
if the token was not issued by thisTokenService
-
setServerSecret
- Parameters:
serverSecret
- the new secret, which can contain a ":" if desired (never being sent to the client)
-
setSecureRandom
-
setPseudoRandomNumberBytes
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) - Parameters:
pseudoRandomNumberBytes
- changes the number of bytes issued (must be >= 0; defaults to 256)
-
setServerInteger
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
-