Class AbstractRememberMeServices

java.lang.Object
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
All Implemented Interfaces:
org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, LogoutHandler, RememberMeServices
Direct Known Subclasses:
PersistentTokenBasedRememberMeServices, TokenBasedRememberMeServices

public abstract class AbstractRememberMeServices extends Object implements RememberMeServices, org.springframework.beans.factory.InitializingBean, LogoutHandler, org.springframework.context.MessageSourceAware
Base class for RememberMeServices implementations.
Since:
2.0
  • Field Details

    • DEFAULT_PARAMETER

      public static final String DEFAULT_PARAMETER
      See Also:
    • TWO_WEEKS_S

      public static final int TWO_WEEKS_S
      See Also:
    • logger

      protected final org.apache.commons.logging.Log logger
    • messages

      protected org.springframework.context.support.MessageSourceAccessor messages
  • Constructor Details

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
    • autoLogin

      public Authentication autoLogin(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Template implementation which locates the Spring Security cookie, decodes it into a delimited array of tokens and submits it to subclasses for processing via the processAutoLoginCookie method.

      The returned username is then used to load the UserDetails object for the user, which in turn is used to create a valid authentication token.

      Specified by:
      autoLogin in interface RememberMeServices
      Parameters:
      request - to look for a remember-me token within
      response - to change, cancel or modify the remember-me token
      Returns:
      a valid authentication object, or null if the request should not be authenticated
    • extractRememberMeCookie

      protected String extractRememberMeCookie(jakarta.servlet.http.HttpServletRequest request)
      Locates the Spring Security remember me cookie in the request and returns its value. The cookie is searched for by name and also by matching the context path to the cookie path.
      Parameters:
      request - the submitted request which is to be authenticated
      Returns:
      the cookie value (if present), null otherwise.
    • createSuccessfulAuthentication

      protected Authentication createSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, UserDetails user)
      Creates the final Authentication object returned from the autoLogin method.

      By default it will create a RememberMeAuthenticationToken instance.

      Parameters:
      request - the original request. The configured AuthenticationDetailsSource will use this to build the details property of the returned object.
      user - the UserDetails loaded from the UserDetailsService. This will be stored as the principal.
      Returns:
      the Authentication for the remember-me authenticated user
    • decodeCookie

      protected String[] decodeCookie(String cookieValue) throws InvalidCookieException
      Decodes the cookie and splits it into a set of token strings using the ":" delimiter.
      Parameters:
      cookieValue - the value obtained from the submitted cookie
      Returns:
      the array of tokens.
      Throws:
      InvalidCookieException - if the cookie was not base64 encoded.
    • encodeCookie

      protected String encodeCookie(String[] cookieTokens)
      Inverse operation of decodeCookie.
      Parameters:
      cookieTokens - the tokens to be encoded.
      Returns:
      base64 encoding of the tokens concatenated with the ":" delimiter.
    • loginFail

      public void loginFail(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: RememberMeServices
      Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. Implementations should invalidate any and all remember-me tokens indicated in the HttpServletRequest.
      Specified by:
      loginFail in interface RememberMeServices
      Parameters:
      request - that contained an invalid authentication request
      response - to change, cancel or modify the remember-me token
    • onLoginFail

      protected void onLoginFail(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    • loginSuccess

      public void loginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
      Called whenever an interactive authentication attempt is successful. An implementation may automatically set a remember-me token in the HttpServletResponse, although this is not recommended. Instead, implementations should typically look for a request parameter that indicates the browser has presented an explicit request for authentication to be remembered, such as the presence of a HTTP POST parameter.

      Examines the incoming request and checks for the presence of the configured "remember me" parameter. If it's present, or if alwaysRemember is set to true, calls onLoginSuccess.

      Specified by:
      loginSuccess in interface RememberMeServices
      Parameters:
      request - that contained the valid authentication request
      response - to change, cancel or modify the remember-me token
      successfulAuthentication - representing the successfully authenticated principal
    • onLoginSuccess

      protected abstract void onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
      Called from loginSuccess when a remember-me login has been requested. Typically implemented by subclasses to set a remember-me cookie and potentially store a record of it if the implementation requires this.
    • rememberMeRequested

      protected boolean rememberMeRequested(jakarta.servlet.http.HttpServletRequest request, String parameter)
      Allows customization of whether a remember-me login has been requested. The default is to return true if alwaysRemember is set or the configured parameter name has been included in the request and is set to the value "true".
      Parameters:
      request - the request submitted from an interactive login, which may include additional information indicating that a persistent login is desired.
      parameter - the configured remember-me parameter name.
      Returns:
      true if the request includes information indicating that a persistent login has been requested.
    • processAutoLoginCookie

      protected abstract UserDetails processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws RememberMeAuthenticationException, UsernameNotFoundException
      Called from autoLogin to process the submitted persistent login cookie. Subclasses should validate the cookie and perform any additional management required.
      Parameters:
      cookieTokens - the decoded and tokenized cookie value
      request - the request
      response - the response, to allow the cookie to be modified if required.
      Returns:
      the UserDetails for the corresponding user account if the cookie was validated successfully.
      Throws:
      RememberMeAuthenticationException - if the cookie is invalid or the login is invalid for some other reason.
      UsernameNotFoundException - if the user account corresponding to the login cookie couldn't be found (for example if the user has been removed from the system).
    • cancelCookie

      protected void cancelCookie(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.
    • setCookie

      protected void setCookie(String[] tokens, int maxAge, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Sets the cookie on the response. By default a secure cookie will be used if the connection is secure. You can set the useSecureCookie property to false to override this. If you set it to true, the cookie will always be flagged as secure. By default the cookie will be marked as HttpOnly.
      Parameters:
      tokens - the tokens which will be encoded to make the cookie value.
      maxAge - the value passed to Cookie.setMaxAge(int)
      request - the request
      response - the response to add the cookie to.
    • logout

      public void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication)
      Implementation of LogoutHandler. Default behaviour is to call cancelCookie().
      Specified by:
      logout in interface LogoutHandler
      Parameters:
      request - the HTTP request
      response - the HTTP response
      authentication - the current principal details
    • setCookieName

      public void setCookieName(String cookieName)
    • setCookieDomain

      public void setCookieDomain(String cookieDomain)
    • getCookieName

      protected String getCookieName()
    • setAlwaysRemember

      public void setAlwaysRemember(boolean alwaysRemember)
    • setParameter

      public void setParameter(String parameter)
      Sets the name of the parameter which should be checked for to see if a remember-me has been requested during a login request. This should be the same name you assign to the checkbox in your login form.
      Parameters:
      parameter - the HTTP request parameter
    • getParameter

      public String getParameter()
    • getUserDetailsService

      protected UserDetailsService getUserDetailsService()
    • getKey

      public String getKey()
    • setTokenValiditySeconds

      public void setTokenValiditySeconds(int tokenValiditySeconds)
    • getTokenValiditySeconds

      protected int getTokenValiditySeconds()
    • setUseSecureCookie

      public void setUseSecureCookie(boolean useSecureCookie)
      Whether the cookie should be flagged as secure or not. Secure cookies can only be sent over an HTTPS connection and thus cannot be accidentally submitted over HTTP where they could be intercepted.

      By default the cookie will be secure if the request is secure. If you only want to use remember-me over HTTPS (recommended) you should set this property to true.

      Parameters:
      useSecureCookie - set to true to always user secure cookies, false to disable their use.
    • getAuthenticationDetailsSource

      protected AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> getAuthenticationDetailsSource()
    • setAuthenticationDetailsSource

      public void setAuthenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
    • setUserDetailsChecker

      public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
      Sets the strategy to be used to validate the UserDetails object obtained for the user when processing a remember-me cookie to automatically log in a user.
      Parameters:
      userDetailsChecker - the strategy which will be passed the user object to allow it to be rejected if account should not be allowed to authenticate (if it is locked, for example). Defaults to a AccountStatusUserDetailsChecker instance.
    • setAuthoritiesMapper

      public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
    • setMessageSource

      public void setMessageSource(org.springframework.context.MessageSource messageSource)
      Specified by:
      setMessageSource in interface org.springframework.context.MessageSourceAware
      Since:
      5.5
    • setCookieCustomizer

      public void setCookieCustomizer(Consumer<jakarta.servlet.http.Cookie> cookieCustomizer)
      Sets the Consumer, allowing customization of cookie.
      Parameters:
      cookieCustomizer - customize for cookie
      Since:
      6.4