Class TokenBasedRememberMeServices2

java.lang.Object
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
hudson.security.TokenBasedRememberMeServices2
All Implemented Interfaces:
org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, org.springframework.security.web.authentication.logout.LogoutHandler, org.springframework.security.web.authentication.RememberMeServices

@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public class TokenBasedRememberMeServices2 extends org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
TokenBasedRememberMeServices with modification so as not to rely on the user password being available.

This allows remember-me to work with security realms where the password is never available in clear text.

Author:
Kohsuke Kawaguchi
See Also:
  • TokenBasedRememberMeServices
  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static boolean
    Escape hatch for the check on the maximum date for the expiration duration of the remember me cookie

    Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

    DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S
  • Constructor Summary

    Constructors
    Constructor
    Description
    TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
    Decorate UserDetailsService so that we can use information stored in LastGrantedAuthoritiesProperty.
  • Method Summary

    Modifier and Type
    Method
    Description
    protected int
    calculateLoginLifetime(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.Authentication authentication)
    Calculates the validity period in seconds for a newly generated remember-me login.
    protected org.springframework.security.core.Authentication
    createSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.userdetails.UserDetails userDetails)
     
    protected String
     
    protected int
     
    protected boolean
    isTokenExpired(long tokenExpiryTimeMs)
    In addition to the expiration requested by TokenBasedRememberMeServices.isTokenExpired(long), we also check the expiration is not too far in the future.
    protected String
    makeTokenSignature(long tokenExpiryTime, String username)
     
    void
    onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)
     
    protected org.springframework.security.core.userdetails.UserDetails
    processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
     

    Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

    afterPropertiesSet, autoLogin, cancelCookie, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getKey, getParameter, getUserDetailsService, loginFail, loginSuccess, logout, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieCustomizer, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Field Details

    • SKIP_TOO_FAR_EXPIRATION_DATE_CHECK

      public static boolean SKIP_TOO_FAR_EXPIRATION_DATE_CHECK
      Escape hatch for the check on the maximum date for the expiration duration of the remember me cookie
  • Constructor Details

  • Method Details

    • makeTokenSignature

      protected String makeTokenSignature(long tokenExpiryTime, String username)
    • onLoginSuccess

      public void onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)
      Specified by:
      onLoginSuccess in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    • calculateLoginLifetime

      protected int calculateLoginLifetime(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.Authentication authentication)
      Calculates the validity period in seconds for a newly generated remember-me login. After this period (from the current time) the remember-me login will be considered expired. This method allows customization based on request parameters supplied with the login or information in the Authentication object. The default value is just the token validity period property, tokenValiditySeconds.

      The returned value will be used to work out the expiry time of the token and will also be used to set the maxAge property of the cookie. See SEC-485.

      Parameters:
      request - the request passed to onLoginSuccess
      authentication - the successful authentication object.
      Returns:
      the lifetime in seconds.
    • processAutoLoginCookie

      protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Specified by:
      processAutoLoginCookie in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    • createSuccessfulAuthentication

      protected org.springframework.security.core.Authentication createSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, org.springframework.security.core.userdetails.UserDetails userDetails)
      Overrides:
      createSuccessfulAuthentication in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    • isTokenExpired

      protected boolean isTokenExpired(long tokenExpiryTimeMs)
      In addition to the expiration requested by TokenBasedRememberMeServices.isTokenExpired(long), we also check the expiration is not too far in the future. Especially to detect maliciously crafted cookie.
    • getTokenValiditySeconds

      protected int getTokenValiditySeconds()
      Overrides:
      getTokenValiditySeconds in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    • getCookieName

      protected String getCookieName()
      Overrides:
      getCookieName in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices