Class PersistentTokenBasedRememberMeServices
java.lang.Object
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
- All Implemented Interfaces:
- org.springframework.beans.factory.Aware,- org.springframework.beans.factory.InitializingBean,- org.springframework.context.MessageSourceAware,- LogoutHandler,- RememberMeServices
RememberMeServices implementation based on Barry Jaspan's Improved
 Persistent Login Cookie Best Practice.
 There is a slight modification to the described approach, in that the username is not
 stored as part of the cookie but obtained from the persistent store via an
 implementation of PersistentTokenRepository. The latter should place a unique
 constraint on the series identifier, so that it is impossible for the same identifier
 to be allocated to two different users.
 User management such as changing passwords, removing users and setting user status should be combined with maintenance of the user's persistent tokens.
Note that while this class will use the date a token was created to check whether a presented cookie is older than the configured tokenValiditySeconds property and deny authentication in this case, it will not delete these tokens from storage. A suitable batch process should be run periodically to remove expired tokens from the database.
- Since:
- 2.0
- 
Field SummaryFieldsModifier and TypeFieldDescriptionstatic final intstatic final intFields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesDEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S
- 
Constructor SummaryConstructorsConstructorDescriptionPersistentTokenBasedRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenRepository tokenRepository) 
- 
Method SummaryModifier and TypeMethodDescriptionprotected Stringprotected Stringvoidlogout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication) Implementation ofLogoutHandler.protected voidonLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Creates a new persistent login token with a new series number, stores the data in the persistent token repository and adds the corresponding cookie to the response.protected UserDetailsprocessAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Locates the presented cookie data in the token repository, using the series id.voidsetSeriesLength(int seriesLength) voidsetTokenLength(int tokenLength) voidsetTokenValiditySeconds(int tokenValiditySeconds) Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesafterPropertiesSet, autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setMessageSource, setParameter, setUserDetailsChecker, setUseSecureCookie
- 
Field Details- 
DEFAULT_SERIES_LENGTHpublic static final int DEFAULT_SERIES_LENGTH- See Also:
 
- 
DEFAULT_TOKEN_LENGTHpublic static final int DEFAULT_TOKEN_LENGTH- See Also:
 
 
- 
- 
Constructor Details- 
PersistentTokenBasedRememberMeServicespublic PersistentTokenBasedRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenRepository tokenRepository) 
 
- 
- 
Method Details- 
processAutoLoginCookieprotected UserDetails processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Locates the presented cookie data in the token repository, using the series id. If the data compares successfully with that in the persistent store, a new token is generated and stored with the same series. The corresponding cookie value is set on the response.- Specified by:
- processAutoLoginCookiein class- AbstractRememberMeServices
- Parameters:
- cookieTokens- the series and token values
- request- the request
- response- the response, to allow the cookie to be modified if required.
- Returns:
- the UserDetails for the corresponding user account if the cookie was validated successfully.
- Throws:
- RememberMeAuthenticationException- if there is no stored token corresponding to the submitted cookie, or if the token in the persistent store has expired.
- InvalidCookieException- if the cookie doesn't have two tokens as expected.
- CookieTheftException- if a presented series value is found, but the stored token is different from the one presented.
 
- 
onLoginSuccessprotected void onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Creates a new persistent login token with a new series number, stores the data in the persistent token repository and adds the corresponding cookie to the response.- Specified by:
- onLoginSuccessin class- AbstractRememberMeServices
 
- 
logoutpublic void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication) Description copied from class:AbstractRememberMeServicesImplementation ofLogoutHandler. Default behaviour is to callcancelCookie().- Specified by:
- logoutin interface- LogoutHandler
- Overrides:
- logoutin class- AbstractRememberMeServices
- Parameters:
- request- the HTTP request
- response- the HTTP response
- authentication- the current principal details
 
- 
generateSeriesData
- 
generateTokenData
- 
setSeriesLengthpublic void setSeriesLength(int seriesLength) 
- 
setTokenLengthpublic void setTokenLength(int tokenLength) 
- 
setTokenValiditySecondspublic void setTokenValiditySeconds(int tokenValiditySeconds) - Overrides:
- setTokenValiditySecondsin class- AbstractRememberMeServices
 
 
-