java.lang.Object | ||
↳ | org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices | |
↳ | org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices |
RememberMeServices
implementation based on Barry Jaspan's
Improved Persistent Login Cookie
Best Practice.
There is a slight modification to the described approach, in that the username is not stored as part of the cookie
but obtained from the persistent store via an implementation of PersistentTokenRepository
. The latter
should place a unique constraint on the series identifier, so that it is impossible for the same identifier to be
allocated to two different users.
User management such as changing passwords, removing users and setting user status should be combined with maintenance of the user's persistent tokens.
Note that while this class will use the date a token was created to check whether a presented cookie is older than the configured tokenValiditySeconds property and deny authentication in this case, it will not delete these tokens from storage. A suitable batch process should be run periodically to remove expired tokens from the database.
Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
int | DEFAULT_SERIES_LENGTH | ||||||||||
int | DEFAULT_TOKEN_LENGTH |
[Expand]
Inherited Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
|
[Expand]
Inherited Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
|
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
This constructor is deprecated.
Use constructor injection
| |||||||||||
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Implementation of
LogoutHandler . | |||||||||||
This method is deprecated.
Use constructor injection
| |||||||||||
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Creates a new persistent login token with a new series number, stores the data in the
persistent token repository and adds the corresponding cookie to the response.
| |||||||||||
Locates the presented cookie data in the token repository, using the series id.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
| |||||||||||
From class
java.lang.Object
| |||||||||||
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
From interface
org.springframework.security.web.authentication.RememberMeServices
| |||||||||||
From interface
org.springframework.security.web.authentication.logout.LogoutHandler
|
This constructor is deprecated.
Use constructor injection
Implementation of LogoutHandler
. Default behaviour is to call cancelCookie()
.
request | the HTTP request |
---|---|
response | the HTTP response |
authentication | the current principal details |
This method is deprecated.
Use constructor injection
Creates a new persistent login token with a new series number, stores the data in the persistent token repository and adds the corresponding cookie to the response.
Locates the presented cookie data in the token repository, using the series id. If the data compares successfully with that in the persistent store, a new token is generated and stored with the same series. The corresponding cookie value is set on the response.
cookieTokens | the series and token values |
---|---|
request | the request |
response | the response, to allow the cookie to be modified if required. |
RememberMeAuthenticationException | if there is no stored token corresponding to the submitted cookie, or if the token in the persistent store has expired. |
---|---|
InvalidCookieException | if the cookie doesn't have two tokens as expected. |
CookieTheftException | if a presented series value is found, but the stored token is different from the one presented. |