Package org.springframework.security.core.token

Class KeyBasedPersistenceTokenService

java.lang.Object
org.springframework.security.core.token.KeyBasedPersistenceTokenService
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, TokenService
public class KeyBasedPersistenceTokenService extends Object implements TokenService, org.springframework.beans.factory.InitializingBean
Basic implementation of TokenService that is compatible with clusters and across machine restarts, without requiring database persistence.

Keys are produced in the format:

Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )

In the above, creationTime, tokenKey and extendedInformation are equal to that stored in Token. The Sha512Hex includes the same payload, plus a serverSecret.

The serverSecret varies every millisecond. It relies on two static server-side secrets. The first is a password, and the second is a server integer. Both of these must remain the same for any issued keys to subsequently be recognised. The applicable serverSecret in any millisecond is computed by password + ":" + (creationTime % serverInteger). This approach further obfuscates the actual server secret and renders attempts to compute the server secret more limited in usefulness (as any false tokens would be forced to have a creationTime equal to the computed hash). Recall that framework features depending on token services should reject tokens that are relatively old in any event.

A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers. To this end, the use of SecureRandomFactoryBean is recommended to inject the property.

This implementation uses UTF-8 encoding internally for string manipulation.

  • Constructor Details

    • KeyBasedPersistenceTokenService

      public KeyBasedPersistenceTokenService()

  • Method Details

    • allocateToken

      public Token allocateToken(String extendedInformation)
      Description copied from interface: TokenService
      Forces the allocation of a new Token.
      Specified by:
      allocateToken in interface TokenService
      Parameters:
      extendedInformation - the extended information desired in the token (cannot be null, but can be empty)
      Returns:
      a new token that has not been issued previously, and is guaranteed to be recognised by this implementation's TokenService.verifyToken(String) at any future time.

    • verifyToken

      public Token verifyToken(String key)
      Description copied from interface: TokenService
      Permits verification the Token.getKey() was issued by this TokenService and reconstructs the corresponding Token.
      Specified by:
      verifyToken in interface TokenService
      Parameters:
      key - as obtained from Token.getKey() and created by this implementation
      Returns:
      the token, or null if the token was not issued by this TokenService

    • setServerSecret

      public void setServerSecret(String serverSecret)
      Parameters:
      serverSecret - the new secret, which can contain a ":" if desired (never being sent to the client)

    • setSecureRandom

      public void setSecureRandom(SecureRandom secureRandom)

    • setPseudoRandomNumberBytes

      public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes)
      Parameters:
      pseudoRandomNumberBytes - changes the number of bytes issued (must be >= 0; defaults to 256)

    • setServerInteger

      public void setServerInteger(Integer serverInteger)

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean