public class

KeyBasedPersistenceTokenService

extends Object
implements InitializingBean TokenService
java.lang.Object
   ↳ org.springframework.security.core.token.KeyBasedPersistenceTokenService

Class Overview

Basic implementation of TokenService that is compatible with clusters and across machine restarts, without requiring database persistence.

Keys are produced in the format:

Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )

In the above, creationTime, tokenKey and extendedInformation are equal to that stored in Token. The Sha512Hex includes the same payload, plus a serverSecret.

The serverSecret varies every millisecond. It relies on two static server-side secrets. The first is a password, and the second is a server integer. Both of these must remain the same for any issued keys to subsequently be recognised. The applicable serverSecret in any millisecond is computed by password + ":" + (creationTime % serverInteger). This approach further obfuscates the actual server secret and renders attempts to compute the server secret more limited in usefulness (as any false tokens would be forced to have a creationTime equal to the computed hash). Recall that framework features depending on token services should reject tokens that are relatively old in any event.

A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers. To this end, the use of SecureRandomFactoryBean is recommended to inject the property.

This implementation uses UTF-8 encoding internally for string manipulation.

Summary

Public Constructors
KeyBasedPersistenceTokenService()
Public Methods
void afterPropertiesSet()
Token allocateToken(String extendedInformation)
Forces the allocation of a new Token.
void setPseudoRandomNumberBits(int pseudoRandomNumberBits)
void setSecureRandom(SecureRandom secureRandom)
void setServerInteger(Integer serverInteger)
void setServerSecret(String serverSecret)
Token verifyToken(String key)
Permits verification the <getKey() was issued by this TokenService and reconstructs the corresponding Token.
[Expand]
Inherited Methods
From class java.lang.Object
From interface org.springframework.beans.factory.InitializingBean
From interface org.springframework.security.core.token.TokenService

Public Constructors

public KeyBasedPersistenceTokenService ()

Public Methods

public void afterPropertiesSet ()

Throws
Exception

public Token allocateToken (String extendedInformation)

Forces the allocation of a new Token.

Parameters
extendedInformation the extended information desired in the token (cannot be null, but can be empty)
Returns
  • a new token that has not been issued previously, and is guaranteed to be recognised by this implementation's verifyToken(String) at any future time.

public void setPseudoRandomNumberBits (int pseudoRandomNumberBits)

Parameters
pseudoRandomNumberBits changes the number of bits issued (must be >= 0; defaults to 256)

public void setSecureRandom (SecureRandom secureRandom)

public void setServerInteger (Integer serverInteger)

public void setServerSecret (String serverSecret)

Parameters
serverSecret the new secret, which can contain a ":" if desired (never being sent to the client)

public Token verifyToken (String key)

Permits verification the <getKey() was issued by this TokenService and reconstructs the corresponding Token.

Parameters
key as obtained from getKey() and created by this implementation
Returns
  • the token, or null if the token was not issued by this TokenService