egovframework.rfc3.iam.security.authentication.rememberme
Class PersistentTokenBasedRememberMeServices
java.lang.Object
egovframework.rfc3.iam.security.authentication.rememberme.AbstractRememberMeServices
egovframework.rfc3.iam.security.authentication.rememberme.PersistentTokenBasedRememberMeServices
- All Implemented Interfaces:
- RFC3RememberMeServices, org.springframework.beans.factory.InitializingBean, org.springframework.security.web.authentication.logout.LogoutHandler
public class PersistentTokenBasedRememberMeServices
- extends AbstractRememberMeServices
RememberMeServices
implementation based on Barry Jaspan's
Improved Persistent Login Cookie
Best Practice.
There is a slight modification to the described approach, in that the username is not stored as part of the cookie
but obtained from the persistent store via an implementation of PersistentTokenRepository
. The latter
should place a unique constraint on the series identifier, so that it is impossible for the same identifier to be
allocated to two different users.
User management such as changing passwords, removing users and setting user status should be combined
with maintenance of the user's persistent tokens.
Note that while this class will use the date a token was created to check whether a presented cookie
is older than the configured tokenValiditySeconds property and deny authentication in this case,
it will not delete these tokens from storage. A suitable batch process should be run periodically to
remove expired tokens from the database.
- Since:
- 2.0
- Author:
- Luke Taylor
Methods inherited from class egovframework.rfc3.iam.security.authentication.rememberme.AbstractRememberMeServices |
afterPropertiesSet, autoLogin, extractRememberMeCookie, getKey, getParameter, loginFail, loginSuccess, onCookiesValidate, setAlwaysRemember, setAuthenticationDetailsSource, setCookieName, setKey, setParameter, setUserDetailsService, setUseSecureCookie |
Methods inherited from class java.lang.Object |
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
DEFAULT_SERIES_LENGTH
public static final int DEFAULT_SERIES_LENGTH
- See Also:
- Constant Field Values
DEFAULT_TOKEN_LENGTH
public static final int DEFAULT_TOKEN_LENGTH
- See Also:
- Constant Field Values
PersistentTokenBasedRememberMeServices
public PersistentTokenBasedRememberMeServices()
throws java.lang.Exception
- Throws:
java.lang.Exception
logout
public void logout(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.springframework.security.core.Authentication authentication)
- Description copied from class:
AbstractRememberMeServices
- Implementation of LogoutHandler. Default behaviour is to call cancelCookie().
- Specified by:
logout
in interface org.springframework.security.web.authentication.logout.LogoutHandler
- Overrides:
logout
in class AbstractRememberMeServices
setTokenRepository
public void setTokenRepository(PersistentTokenRepository tokenRepository)
setSeriesLength
public void setSeriesLength(int seriesLength)
setTokenLength
public void setTokenLength(int tokenLength)
setTokenValiditySeconds
public void setTokenValiditySeconds(int tokenValiditySeconds)
- Overrides:
setTokenValiditySeconds
in class AbstractRememberMeServices