PersistentTokenBasedRememberMeServices

Class Overview

RememberMeServices implementation based on Barry Jaspan's Improved Persistent Login Cookie Best Practice. There is a slight modification to the described approach, in that the username is not stored as part of the cookie but obtained from the persistent store via an implementation of PersistentTokenRepository. The latter should place a unique constraint on the series identifier, so that it is impossible for the same identifier to be allocated to two different users.

User management such as changing passwords, removing users and setting user status should be combined with maintenance of the user's persistent tokens.

Note that while this class will use the date a token was created to check whether a presented cookie is older than the configured tokenValiditySeconds property and deny authentication in this case, it will not delete these tokens from storage. A suitable batch process should be run periodically to remove expired tokens from the database.

Summary

[Expand] Inherited Constants
From class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices String DEFAULT_PARAMETER String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY int TWO_WEEKS_S

[Expand] Inherited Fields
From class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices protected final Log logger protected final MessageSourceAccessor messages

[Expand] Inherited Methods
From class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices void afterPropertiesSet() final Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) Template implementation which locates the Spring Security cookie, decodes it into a delimited array of tokens and submits it to subclasses for processing via the processAutoLoginCookie method. void cancelCookie(HttpServletRequest request, HttpServletResponse response) Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins. Authentication createSuccessfulAuthentication(HttpServletRequest request, UserDetails user) Creates the final Authentication object returned from the autoLogin method. String[] decodeCookie(String cookieValue) Decodes the cookie and splits it into a set of token strings using the ":" delimiter. String encodeCookie(String[] cookieTokens) Inverse operation of decodeCookie. String extractRememberMeCookie(HttpServletRequest request) Locates the Spring Security remember me cookie in the request and returns its value. AuthenticationDetailsSource<HttpServletRequest, ?> getAuthenticationDetailsSource() String getCookieName() String getKey() String getParameter() int getTokenValiditySeconds() UserDetailsService getUserDetailsService() final void loginFail(HttpServletRequest request, HttpServletResponse response) Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. final void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) Examines the incoming request and checks for the presence of the configured "remember me" parameter. void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) Implementation of LogoutHandler. void onLoginFail(HttpServletRequest request, HttpServletResponse response) abstract void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) Called from loginSuccess when a remember-me login has been requested. abstract UserDetails processAutoLoginCookie(String[] cookieTokens, HttpServletRequest request, HttpServletResponse response) Called from autoLogin to process the submitted persistent login cookie. boolean rememberMeRequested(HttpServletRequest request, String parameter) Allows customization of whether a remember-me login has been requested. void setAlwaysRemember(boolean alwaysRemember) void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) Sets the cookie on the response. void setCookieName(String cookieName) void setKey(String key) This method is deprecated. Use constructor injection void setParameter(String parameter) Sets the name of the parameter which should be checked for to see if a remember-me has been requested during a login request. void setTokenValiditySeconds(int tokenValiditySeconds) void setUseSecureCookie(boolean useSecureCookie) Whether the cookie should be flagged as secure or not. void setUserDetailsChecker(UserDetailsChecker userDetailsChecker) Sets the strategy to be used to validate the UserDetails object obtained for the user when processing a remember-me cookie to automatically log in a user. void setUserDetailsService(UserDetailsService userDetailsService) This method is deprecated. Use constructor injection
From class java.lang.Object Object clone() boolean equals(Object arg0) void finalize() final Class<?> getClass() int hashCode() final void notify() final void notifyAll() String toString() final void wait() final void wait(long arg0, int arg1) final void wait(long arg0)
From interface org.springframework.beans.factory.InitializingBean abstract void afterPropertiesSet()
From interface org.springframework.security.web.authentication.RememberMeServices abstract Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) This method will be called whenever the SecurityContextHolder does not contain an Authentication object and Spring Security wishes to provide an implementation with an opportunity to authenticate the request using remember-me capabilities. abstract void loginFail(HttpServletRequest request, HttpServletResponse response) Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. abstract void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) Called whenever an interactive authentication attempt is successful.
From interface org.springframework.security.web.authentication.logout.LogoutHandler abstract void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) Causes a logout to be completed.