@Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public class TokenBasedRememberMeServices2
extends org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
TokenBasedRememberMeServices with modification so as not to rely
on the user password being available.
This allows remember-me to work with security realms where the password is never available in clear text.
| Modifier and Type | Field and Description |
|---|---|
static boolean |
SKIP_TOO_FAR_EXPIRATION_DATE_CHECK
Escape hatch for the check on the maximum date for the expiration duration of the remember me cookie
|
| Constructor and Description |
|---|
TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
Decorate
UserDetailsService so that we can use information stored in
LastGrantedAuthoritiesProperty. |
| Modifier and Type | Method and Description |
|---|---|
protected org.springframework.security.core.Authentication |
createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
org.springframework.security.core.userdetails.UserDetails userDetails) |
protected String |
getCookieName() |
protected int |
getTokenValiditySeconds() |
protected boolean |
isTokenExpired(long tokenExpiryTimeMs)
In addition to the expiration requested by the super class, we also check the expiration is not too far in the future.
|
protected String |
makeTokenSignature(long tokenExpiryTime,
String username,
String password) |
void |
onLoginSuccess(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.Authentication successfulAuthentication) |
protected org.springframework.security.core.userdetails.UserDetails |
processAutoLoginCookie(String[] cookieTokens,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response) |
protected String |
retrievePassword(org.springframework.security.core.Authentication successfulAuthentication) |
calculateLoginLifetime, retrieveUserNameafterPropertiesSet, autoLogin, cancelCookie, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getKey, getParameter, getUserDetailsService, loginFail, loginSuccess, logout, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookiepublic static boolean SKIP_TOO_FAR_EXPIRATION_DATE_CHECK
public TokenBasedRememberMeServices2(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
UserDetailsService so that we can use information stored in
LastGrantedAuthoritiesProperty.
We wrap by ImpersonatingUserDetailsService2 in other places too,
so this is possibly redundant, but there are many AbstractPasswordBasedSecurityRealm.loadUserByUsername2(String)
implementations that do not do it, so doing it helps retrofit old plugins to benefit from
the user impersonation improvements. Plus multiple ImpersonatingUserDetailsService2
do not incur any real performance penalty.
TokenBasedRememberMeServices needs to be used in conjunction with RememberMeAuthenticationProvider
(see AbstractPasswordBasedSecurityRealm.createSecurityComponents())
and both need to use the same key and various security plugins need to do the same.
protected String makeTokenSignature(long tokenExpiryTime, String username, String password)
makeTokenSignature in class org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServicesprotected String retrievePassword(org.springframework.security.core.Authentication successfulAuthentication)
retrievePassword in class org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServicespublic void onLoginSuccess(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.Authentication successfulAuthentication)
onLoginSuccess in class org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServicesprotected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
processAutoLoginCookie in class org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServicesprotected org.springframework.security.core.Authentication createSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
org.springframework.security.core.userdetails.UserDetails userDetails)
createSuccessfulAuthentication in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesprotected boolean isTokenExpired(long tokenExpiryTimeMs)
isTokenExpired in class org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServicesprotected int getTokenValiditySeconds()
getTokenValiditySeconds in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesprotected String getCookieName()
getCookieName in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesCopyright © 2004–2021. All rights reserved.