egovframework.rfc3.iam.security.authentication.rememberme
Class PersistentTokenBasedRememberMeServices

java.lang.Object
  extended by egovframework.rfc3.iam.security.authentication.rememberme.AbstractRememberMeServices
      extended by egovframework.rfc3.iam.security.authentication.rememberme.PersistentTokenBasedRememberMeServices
All Implemented Interfaces:
RFC3RememberMeServices, org.springframework.beans.factory.InitializingBean, org.springframework.security.web.authentication.logout.LogoutHandler

public class PersistentTokenBasedRememberMeServices
extends AbstractRememberMeServices

RememberMeServices implementation based on Barry Jaspan's Improved Persistent Login Cookie Best Practice. There is a slight modification to the described approach, in that the username is not stored as part of the cookie but obtained from the persistent store via an implementation of PersistentTokenRepository. The latter should place a unique constraint on the series identifier, so that it is impossible for the same identifier to be allocated to two different users.

User management such as changing passwords, removing users and setting user status should be combined with maintenance of the user's persistent tokens.

Note that while this class will use the date a token was created to check whether a presented cookie is older than the configured tokenValiditySeconds property and deny authentication in this case, it will not delete these tokens from storage. A suitable batch process should be run periodically to remove expired tokens from the database.

Since:
2.0
Author:
Luke Taylor

Field Summary
static int DEFAULT_SERIES_LENGTH
           
static int DEFAULT_TOKEN_LENGTH
           
 
Fields inherited from class egovframework.rfc3.iam.security.authentication.rememberme.AbstractRememberMeServices
DEFAULT_PARAMETER, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S
 
Constructor Summary
PersistentTokenBasedRememberMeServices()
           
 
Method Summary
 void logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication)
          Implementation of LogoutHandler.
 void setSeriesLength(int seriesLength)
           
 void setTokenLength(int tokenLength)
           
 void setTokenRepository(PersistentTokenRepository tokenRepository)
           
 void setTokenValiditySeconds(int tokenValiditySeconds)
           
 
Methods inherited from class egovframework.rfc3.iam.security.authentication.rememberme.AbstractRememberMeServices
afterPropertiesSet, autoLogin, extractRememberMeCookie, getKey, getParameter, loginFail, loginSuccess, onCookiesValidate, setAlwaysRemember, setAuthenticationDetailsSource, setCookieName, setKey, setParameter, setUserDetailsService, setUseSecureCookie
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DEFAULT_SERIES_LENGTH

public static final int DEFAULT_SERIES_LENGTH
See Also:
Constant Field Values

DEFAULT_TOKEN_LENGTH

public static final int DEFAULT_TOKEN_LENGTH
See Also:
Constant Field Values
Constructor Detail

PersistentTokenBasedRememberMeServices

public PersistentTokenBasedRememberMeServices()
                                       throws java.lang.Exception
Throws:
java.lang.Exception
Method Detail

logout

public void logout(javax.servlet.http.HttpServletRequest request,
                   javax.servlet.http.HttpServletResponse response,
                   org.springframework.security.core.Authentication authentication)
Description copied from class: AbstractRememberMeServices
Implementation of LogoutHandler. Default behaviour is to call cancelCookie().

Specified by:
logout in interface org.springframework.security.web.authentication.logout.LogoutHandler
Overrides:
logout in class AbstractRememberMeServices

setTokenRepository

public void setTokenRepository(PersistentTokenRepository tokenRepository)

setSeriesLength

public void setSeriesLength(int seriesLength)

setTokenLength

public void setTokenLength(int tokenLength)

setTokenValiditySeconds

public void setTokenValiditySeconds(int tokenValiditySeconds)
Overrides:
setTokenValiditySeconds in class AbstractRememberMeServices