Class TokenBasedRememberMeServices2
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.MessageSourceAware
,org.springframework.security.web.authentication.logout.LogoutHandler
,org.springframework.security.web.authentication.RememberMeServices
TokenBasedRememberMeServices
with modification so as not to rely
on the user password being available.
This allows remember-me to work with security realms where the password is never available in clear text.
- Author:
- Kohsuke Kawaguchi
- See Also:
-
TokenBasedRememberMeServices
-
Field Summary
Modifier and TypeFieldDescriptionstatic boolean
Escape hatch for the check on the maximum date for the expiration duration of the remember me cookieFields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S
-
Constructor Summary
ConstructorDescriptionTokenBasedRememberMeServices2
(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) DecorateUserDetailsService
so that we can use information stored inLastGrantedAuthoritiesProperty
. -
Method Summary
Modifier and TypeMethodDescriptionprotected int
calculateLoginLifetime
(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.Authentication authentication) Calculates the validity period in seconds for a newly generated remember-me login.protected org.springframework.security.core.Authentication
createSuccessfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.userdetails.UserDetails userDetails) protected String
protected int
protected boolean
isTokenExpired
(long tokenExpiryTimeMs) In addition to the expiration requested byTokenBasedRememberMeServices.isTokenExpired(long)
, we also check the expiration is not too far in the future.protected String
makeTokenSignature
(long tokenExpiryTime, String username) void
onLoginSuccess
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication) protected org.springframework.security.core.userdetails.UserDetails
processAutoLoginCookie
(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
afterPropertiesSet, autoLogin, cancelCookie, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getKey, getParameter, getUserDetailsService, loginFail, loginSuccess, logout, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieCustomizer, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie
-
Field Details
-
SKIP_TOO_FAR_EXPIRATION_DATE_CHECK
public static boolean SKIP_TOO_FAR_EXPIRATION_DATE_CHECKEscape hatch for the check on the maximum date for the expiration duration of the remember me cookie
-
-
Constructor Details
-
TokenBasedRememberMeServices2
public TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) DecorateUserDetailsService
so that we can use information stored inLastGrantedAuthoritiesProperty
.We wrap by
ImpersonatingUserDetailsService2
in other places too, so this is possibly redundant, but there are manyAbstractPasswordBasedSecurityRealm.loadUserByUsername2(String)
implementations that do not do it, so doing it helps retrofit old plugins to benefit from the user impersonation improvements. Plus multipleImpersonatingUserDetailsService2
do not incur any real performance penalty.TokenBasedRememberMeServices
needs to be used in conjunction withRememberMeAuthenticationProvider
(seeAbstractPasswordBasedSecurityRealm.createSecurityComponents()
) and both need to use the same key and various security plugins need to do the same.
-
-
Method Details
-
makeTokenSignature
-
onLoginSuccess
public void onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication) - Specified by:
onLoginSuccess
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
calculateLoginLifetime
protected int calculateLoginLifetime(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.Authentication authentication) Calculates the validity period in seconds for a newly generated remember-me login. After this period (from the current time) the remember-me login will be considered expired. This method allows customization based on request parameters supplied with the login or information in theAuthentication
object. The default value is just the token validity period property,tokenValiditySeconds
.The returned value will be used to work out the expiry time of the token and will also be used to set the
maxAge
property of the cookie. See SEC-485.- Parameters:
request
- the request passed to onLoginSuccessauthentication
- the successful authentication object.- Returns:
- the lifetime in seconds.
-
processAutoLoginCookie
protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) - Specified by:
processAutoLoginCookie
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
createSuccessfulAuthentication
protected org.springframework.security.core.Authentication createSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.userdetails.UserDetails userDetails) - Overrides:
createSuccessfulAuthentication
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
isTokenExpired
protected boolean isTokenExpired(long tokenExpiryTimeMs) In addition to the expiration requested byTokenBasedRememberMeServices.isTokenExpired(long)
, we also check the expiration is not too far in the future. Especially to detect maliciously crafted cookie. -
getTokenValiditySeconds
protected int getTokenValiditySeconds()- Overrides:
getTokenValiditySeconds
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
getCookieName
- Overrides:
getCookieName
in classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-