Class TokenBasedRememberMeServices2
- java.lang.Object
-
- org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
- org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
-
- hudson.security.TokenBasedRememberMeServices2
-
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.MessageSourceAware
,org.springframework.security.web.authentication.logout.LogoutHandler
,org.springframework.security.web.authentication.RememberMeServices
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public class TokenBasedRememberMeServices2 extends org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
TokenBasedRememberMeServices
with modification so as not to rely on the user password being available.This allows remember-me to work with security realms where the password is never available in clear text.
- Author:
- Kohsuke Kawaguchi
-
-
Field Summary
Fields Modifier and Type Field Description static boolean
SKIP_TOO_FAR_EXPIRATION_DATE_CHECK
Escape hatch for the check on the maximum date for the expiration duration of the remember me cookie
-
Constructor Summary
Constructors Constructor Description TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
DecorateUserDetailsService
so that we can use information stored inLastGrantedAuthoritiesProperty
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected org.springframework.security.core.Authentication
createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, org.springframework.security.core.userdetails.UserDetails userDetails)
protected String
getCookieName()
protected int
getTokenValiditySeconds()
protected boolean
isTokenExpired(long tokenExpiryTimeMs)
In addition to the expiration requested by the super class, we also check the expiration is not too far in the future.protected String
makeTokenSignature(long tokenExpiryTime, String username, String password)
void
onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)
protected org.springframework.security.core.userdetails.UserDetails
processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected String
retrievePassword(org.springframework.security.core.Authentication successfulAuthentication)
-
Methods inherited from class org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
calculateLoginLifetime, retrieveUserName
-
Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
afterPropertiesSet, autoLogin, cancelCookie, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getKey, getParameter, getUserDetailsService, loginFail, loginSuccess, logout, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie
-
-
-
-
Constructor Detail
-
TokenBasedRememberMeServices2
public TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
DecorateUserDetailsService
so that we can use information stored inLastGrantedAuthoritiesProperty
.We wrap by
ImpersonatingUserDetailsService2
in other places too, so this is possibly redundant, but there are manyAbstractPasswordBasedSecurityRealm.loadUserByUsername2(String)
implementations that do not do it, so doing it helps retrofit old plugins to benefit from the user impersonation improvements. Plus multipleImpersonatingUserDetailsService2
do not incur any real performance penalty.TokenBasedRememberMeServices
needs to be used in conjunction withRememberMeAuthenticationProvider
(seeAbstractPasswordBasedSecurityRealm.createSecurityComponents()
) and both need to use the same key and various security plugins need to do the same.
-
-
Method Detail
-
makeTokenSignature
protected String makeTokenSignature(long tokenExpiryTime, String username, String password)
- Overrides:
makeTokenSignature
in classorg.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
-
retrievePassword
protected String retrievePassword(org.springframework.security.core.Authentication successfulAuthentication)
- Overrides:
retrievePassword
in classorg.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
-
onLoginSuccess
public void onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)
- Overrides:
onLoginSuccess
in classorg.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
-
processAutoLoginCookie
protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
- Overrides:
processAutoLoginCookie
in classorg.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
-
createSuccessfulAuthentication
protected org.springframework.security.core.Authentication createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, org.springframework.security.core.userdetails.UserDetails userDetails)
- Overrides:
createSuccessfulAuthentication
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
isTokenExpired
protected boolean isTokenExpired(long tokenExpiryTimeMs)
In addition to the expiration requested by the super class, we also check the expiration is not too far in the future. Especially to detect maliciously crafted cookie.- Overrides:
isTokenExpired
in classorg.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
-
getTokenValiditySeconds
protected int getTokenValiditySeconds()
- Overrides:
getTokenValiditySeconds
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
getCookieName
protected String getCookieName()
- Overrides:
getCookieName
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
-