Package hudson.security

Class TokenBasedRememberMeServices2

java.lang.Object

org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

hudson.security.TokenBasedRememberMeServices2

All Implemented Interfaces:

org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, org.springframework.security.web.authentication.logout.LogoutHandler, org.springframework.security.web.authentication.RememberMeServices

@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
public class TokenBasedRememberMeServices2
extends org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

TokenBasedRememberMeServices with modification so as not to rely on the user password being available.

This allows remember-me to work with security realms where the password is never available in clear text.

Author:

Kohsuke Kawaguchi

See Also:

• TokenBasedRememberMeServices

Field Summary

Fields

Modifier and Type	Field	Description
static boolean	SKIP_TOO_FAR_EXPIRATION_DATE_CHECK	Escape hatch for the check on the maximum date for the expiration duration of the remember me cookie

Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S

Constructor Summary

Constructors

Constructor	Description
TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)	Decorate UserDetailsService so that we can use information stored in LastGrantedAuthoritiesProperty.

Method Summary

Modifier and Type	Method	Description
protected int	calculateLoginLifetime(javax.servlet.http.HttpServletRequest request, org.springframework.security.core.Authentication authentication)	Calculates the validity period in seconds for a newly generated remember-me login.
protected org.springframework.security.core.Authentication	createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, org.springframework.security.core.userdetails.UserDetails userDetails)
protected String	getCookieName()
protected int	getTokenValiditySeconds()
protected boolean	isTokenExpired(long tokenExpiryTimeMs)	In addition to the expiration requested by TokenBasedRememberMeServices.isTokenExpired(long), we also check the expiration is not too far in the future.
protected String	makeTokenSignature(long tokenExpiryTime, String username)
void	onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)
protected org.springframework.security.core.userdetails.UserDetails	processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)

Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

afterPropertiesSet, autoLogin, cancelCookie, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getKey, getParameter, getUserDetailsService, loginFail, loginSuccess, logout, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

SKIP_TOO_FAR_EXPIRATION_DATE_CHECK

public static boolean SKIP_TOO_FAR_EXPIRATION_DATE_CHECK

Escape hatch for the check on the maximum date for the expiration duration of the remember me cookie

Constructor Details

TokenBasedRememberMeServices2

public TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)

Decorate UserDetailsService so that we can use information stored in LastGrantedAuthoritiesProperty.

We wrap by ImpersonatingUserDetailsService2 in other places too, so this is possibly redundant, but there are many AbstractPasswordBasedSecurityRealm.loadUserByUsername2(String) implementations that do not do it, so doing it helps retrofit old plugins to benefit from the user impersonation improvements. Plus multiple ImpersonatingUserDetailsService2 do not incur any real performance penalty.

TokenBasedRememberMeServices needs to be used in conjunction with RememberMeAuthenticationProvider (see AbstractPasswordBasedSecurityRealm.createSecurityComponents()) and both need to use the same key and various security plugins need to do the same.

Method Details

makeTokenSignature

protected String makeTokenSignature(long tokenExpiryTime,
 String username)

onLoginSuccess

public void onLoginSuccess(javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response,
 org.springframework.security.core.Authentication successfulAuthentication)

Specified by:

onLoginSuccess in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

calculateLoginLifetime

protected int calculateLoginLifetime(javax.servlet.http.HttpServletRequest request,
 org.springframework.security.core.Authentication authentication)

Calculates the validity period in seconds for a newly generated remember-me login. After this period (from the current time) the remember-me login will be considered expired. This method allows customization based on request parameters supplied with the login or information in the Authentication object. The default value is just the token validity period property, tokenValiditySeconds.

The returned value will be used to work out the expiry time of the token and will also be used to set the maxAge property of the cookie. See SEC-485.

Parameters:

request - the request passed to onLoginSuccess

authentication - the successful authentication object.

Returns:

the lifetime in seconds.

processAutoLoginCookie

protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie(String[] cookieTokens,
 javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response)

Specified by:

processAutoLoginCookie in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

createSuccessfulAuthentication

protected org.springframework.security.core.Authentication createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
 org.springframework.security.core.userdetails.UserDetails userDetails)

Overrides:

createSuccessfulAuthentication in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

isTokenExpired

protected boolean isTokenExpired(long tokenExpiryTimeMs)

In addition to the expiration requested by TokenBasedRememberMeServices.isTokenExpired(long), we also check the expiration is not too far in the future. Especially to detect maliciously crafted cookie.

getTokenValiditySeconds

protected int getTokenValiditySeconds()

Overrides:

getTokenValiditySeconds in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

getCookieName

protected String getCookieName()

Overrides:

getCookieName in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices