java.lang.Object | |
↳ | org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices |
Known Direct Subclasses |
Base class for RememberMeServices implementations.
Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
String | DEFAULT_PARAMETER | ||||||||||
String | SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY | ||||||||||
int | TWO_WEEKS_S |
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
logger | |||||||||||
messages |
Protected Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
This constructor is deprecated.
Use constructor injection
| |||||||||||
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Template implementation which locates the Spring Security cookie, decodes it into
a delimited array of tokens and submits it to subclasses for processing
via the processAutoLoginCookie method.
| |||||||||||
Called whenever an interactive authentication attempt was made, but the credentials supplied by the user
were missing or otherwise invalid.
| |||||||||||
Examines the incoming request and checks for the presence of the configured "remember me" parameter.
| |||||||||||
Implementation of
LogoutHandler . | |||||||||||
This method is deprecated.
Use constructor injection
| |||||||||||
Sets the name of the parameter which should be checked for to see if a remember-me has been requested
during a login request.
| |||||||||||
Whether the cookie should be flagged as secure or not.
| |||||||||||
Sets the strategy to be used to validate the
UserDetails object obtained for
the user when processing a remember-me cookie to automatically log in a user. | |||||||||||
This method is deprecated.
Use constructor injection
|
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.
| |||||||||||
Creates the final Authentication object returned from the autoLogin method.
| |||||||||||
Decodes the cookie and splits it into a set of token strings using the ":" delimiter.
| |||||||||||
Inverse operation of decodeCookie.
| |||||||||||
Locates the Spring Security remember me cookie in the request and returns its value.
| |||||||||||
Called from loginSuccess when a remember-me login has been requested.
| |||||||||||
Called from autoLogin to process the submitted persistent login cookie.
| |||||||||||
Allows customization of whether a remember-me login has been requested.
| |||||||||||
Sets the cookie on the response.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
| |||||||||||
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
From interface
org.springframework.security.web.authentication.RememberMeServices
| |||||||||||
From interface
org.springframework.security.web.authentication.logout.LogoutHandler
|
This constructor is deprecated.
Use constructor injection
Template implementation which locates the Spring Security cookie, decodes it into a delimited array of tokens and submits it to subclasses for processing via the processAutoLoginCookie method.
The returned username is then used to load the UserDetails object for the user, which in turn is used to create a valid authentication token.
request | to look for a remember-me token within |
---|---|
response | to change, cancel or modify the remember-me token |
null
if the request should not be authenticated
Called whenever an interactive authentication attempt was made, but the credentials supplied by the user
were missing or otherwise invalid. Implementations should invalidate any and all remember-me tokens indicated
in the HttpServletRequest
.
request | that contained an invalid authentication request |
---|---|
response | to change, cancel or modify the remember-me token |
Examines the incoming request and checks for the presence of the configured "remember me" parameter. If it's present, or if alwaysRemember is set to true, calls onLoginSucces.
request | that contained the valid authentication request |
---|---|
response | to change, cancel or modify the remember-me token |
successfulAuthentication | representing the successfully authenticated principal |
Implementation of LogoutHandler
. Default behaviour is to call cancelCookie()
.
request | the HTTP request |
---|---|
response | the HTTP response |
authentication | the current principal details |
Sets the name of the parameter which should be checked for to see if a remember-me has been requested during a login request. This should be the same name you assign to the checkbox in your login form.
parameter | the HTTP request parameter |
---|
Whether the cookie should be flagged as secure or not. Secure cookies can only be sent over an HTTPS connection and this cannot be accidentally submitted over HTTP where they could be intercepted.
By default the cookie will be secure if the request is secure. If you only want to use remember-me over
HTTPS (recommended) you should set this property to true
.
useSecureCookie | set to true to always user secure cookies, false to disable their use.
|
---|
Sets the strategy to be used to validate the UserDetails
object obtained for
the user when processing a remember-me cookie to automatically log in a user.
userDetailsChecker | the strategy which will be passed the user object to allow it to be rejected if account should not
be allowed to authenticate (if it is locked, for example). Defaults to a
AccountStatusUserDetailsChecker instance.
|
---|
This method is deprecated.
Use constructor injection
Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.
Creates the final Authentication object returned from the autoLogin method.
By default it will create a RememberMeAuthenticationToken instance.
request | the original request. The configured AuthenticationDetailsSource will use this to build the details property of the returned object. |
---|---|
user | the UserDetails loaded from the UserDetailsService. This will be stored as the principal. |
Decodes the cookie and splits it into a set of token strings using the ":" delimiter.
cookieValue | the value obtained from the submitted cookie |
---|
InvalidCookieException | if the cookie was not base64 encoded. |
---|
Inverse operation of decodeCookie.
cookieTokens | the tokens to be encoded. |
---|
Locates the Spring Security remember me cookie in the request and returns its value. The cookie is searched for by name and also by matching the context path to the cookie path.
request | the submitted request which is to be authenticated |
---|
Called from loginSuccess when a remember-me login has been requested. Typically implemented by subclasses to set a remember-me cookie and potentially store a record of it if the implementation requires this.
Called from autoLogin to process the submitted persistent login cookie. Subclasses should validate the cookie and perform any additional management required.
cookieTokens | the decoded and tokenized cookie value |
---|---|
request | the request |
response | the response, to allow the cookie to be modified if required. |
RememberMeAuthenticationException | if the cookie is invalid or the login is invalid for some other reason. |
---|---|
UsernameNotFoundException | if the user account corresponding to the login cookie couldn't be found (for example if the user has been removed from the system). |
Allows customization of whether a remember-me login has been requested. The default is to return true if alwaysRemember is set or the configured parameter name has been included in the request and is set to the value "true".
request | the request submitted from an interactive login, which may include additional information indicating that a persistent login is desired. |
---|---|
parameter | the configured remember-me parameter name. |
Sets the cookie on the response.
By default a secure cookie will be used if the connection is secure. You can set the useSecureCookie
property to false
to override this. If you set it to true
, the cookie will always be flagged
as secure. If Servlet 3.0 is used, the cookie will be marked as HttpOnly.
tokens | the tokens which will be encoded to make the cookie value. |
---|---|
maxAge | the value passed to setMaxAge(int) |
request | the request |
response | the response to add the cookie to. |