|
|||||||||
| Home >> All >> org >> acegisecurity >> ui >> [ rememberme overview ] | PREV CLASS NEXT CLASS | ||||||||
SUMMARY:  JAVADOC |  SOURCE |  DOWNLOAD | NESTED | FIELD | CONSTR | METHOD |
DETAIL: FIELD | CONSTR | METHOD | ||||||||
org.acegisecurity.ui.rememberme
Class TokenBasedRememberMeServices
java.lang.Objectorg.acegisecurity.ui.rememberme.TokenBasedRememberMeServices
- All Implemented Interfaces:
- org.springframework.beans.factory.InitializingBean, RememberMeServices
- public class TokenBasedRememberMeServices
- extends java.lang.Object
- implements RememberMeServices, org.springframework.beans.factory.InitializingBean
- extends java.lang.Object
Identifies previously remembered users by a Base-64 encoded cookie.
This implementation does not rely on an external database, so is attractive
for simple applications. The cookie will be valid for a specific period
from the date of the last loginSuccess(HttpServletRequest,
HttpServletResponse, Authentication) 55 . As per the interface contract, this
method will only be called when the principal completes a successful
interactive authentication. As such the time period commences from the last
authentication attempt where they furnished credentials - not the time
period they last logged in via remember-me. The implementation will only
send a remember-me token if the parameter defined by setParameter(String) 55 is present.
An org.acegisecurity.userdetails.UserDetailsService is required
by this implementation, so that it can construct a valid
Authentication from the returned org.acegisecurity.userdetails.UserDetails. This is also necessary so that the
user's password is available and can be checked as part of the encoded
cookie.
The cookie encoded by this implementation adopts the following form:
username + ":" + expiryTime + ":" + Md5Hex(username + ":" +
expiryTime + ":" + password + ":" + key) .
As such, if the user changes their password any remember-me token will be invalidated. Equally, the system administrator may invalidate every remember-me token on issue by changing the key. This provides some reasonable approaches to recovering from a remember-me token being left on a public machine (eg kiosk system, Internet cafe etc). Most importantly, at no time is the user's password ever sent to the user agent, providing an important security safeguard. Unfortunately the username is necessary in this implementation (as we do not want to rely on a database for remember-me services) and as such high security applications should be aware of this occasionally undesired disclosure of a valid username.
This is a basic remember-me implementation which is suitable for many applications. However, we recommend a database-based implementation if you require a more secure remember-me approach.
By default the tokens will be valid for 14 days from the last successful
authentication attempt. This can be changed using #setTokenValiditySeconds(int).
- Version:
- $Id: TokenBasedRememberMeServices.java,v 1.7 2005/11/30 00:20:12 benalex Exp $
| Field Summary | |
static java.lang.String |
ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY
|
static java.lang.String |
DEFAULT_PARAMETER
|
private java.lang.String |
key
|
protected static org.apache.commons.logging.Log |
logger
|
private java.lang.String |
parameter
|
private long |
tokenValiditySeconds
|
private org.acegisecurity.userdetails.UserDetailsService |
userDetailsService
|
| Constructor Summary | |
TokenBasedRememberMeServices()
|
|
| Method Summary | |
void |
afterPropertiesSet()
Invoked by a BeanFactory after it has set all bean properties supplied (and satisfied BeanFactoryAware and ApplicationContextAware). |
org.acegisecurity.Authentication |
autoLogin(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
This method will be called whenever the SecurityContextHolder does
not contain an Authentication and the Acegi Security
system wishes to provide an implementation with an opportunity to
authenticate the request using remember-me capabilities. |
private void |
cancelCookie(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
java.lang.String reasonForLog)
|
java.lang.String |
getKey()
|
java.lang.String |
getParameter()
|
long |
getTokenValiditySeconds()
|
org.acegisecurity.userdetails.UserDetailsService |
getUserDetailsService()
|
void |
loginFail(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. |
void |
loginSuccess(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
org.acegisecurity.Authentication successfulAuthentication)
Called whenever an interactive authentication attempt is successful. |
protected javax.servlet.http.Cookie |
makeCancelCookie()
|
protected javax.servlet.http.Cookie |
makeValidCookie(long expiryTime,
java.lang.String tokenValueBase64)
|
void |
setKey(java.lang.String key)
|
void |
setParameter(java.lang.String parameter)
|
void |
setTokenValiditySeconds(long tokenValiditySeconds)
|
void |
setUserDetailsService(org.acegisecurity.userdetails.UserDetailsService authenticationDao)
|
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY
public static final java.lang.String ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY
- See Also:
- Constant Field Values
DEFAULT_PARAMETER
public static final java.lang.String DEFAULT_PARAMETER
- See Also:
- Constant Field Values
logger
protected static final org.apache.commons.logging.Log logger
userDetailsService
private org.acegisecurity.userdetails.UserDetailsService userDetailsService
key
private java.lang.String key
parameter
private java.lang.String parameter
tokenValiditySeconds
private long tokenValiditySeconds
| Constructor Detail |
TokenBasedRememberMeServices
public TokenBasedRememberMeServices()
| Method Detail |
setUserDetailsService
public void setUserDetailsService(org.acegisecurity.userdetails.UserDetailsService authenticationDao)
getUserDetailsService
public org.acegisecurity.userdetails.UserDetailsService getUserDetailsService()
setKey
public void setKey(java.lang.String key)
getKey
public java.lang.String getKey()
setParameter
public void setParameter(java.lang.String parameter)
getParameter
public java.lang.String getParameter()
setTokenValiditySeconds
public void setTokenValiditySeconds(long tokenValiditySeconds)
getTokenValiditySeconds
public long getTokenValiditySeconds()
afterPropertiesSet
public void afterPropertiesSet()
throws java.lang.Exception
- Description copied from interface:
org.springframework.beans.factory.InitializingBean - Invoked by a BeanFactory after it has set all bean properties supplied
(and satisfied BeanFactoryAware and ApplicationContextAware).
This method allows the bean instance to perform initialization only possible when all bean properties have been set and to throw an exception in the event of misconfiguration.
- Specified by:
afterPropertiesSetin interfaceorg.springframework.beans.factory.InitializingBean
autoLogin
public org.acegisecurity.Authentication autoLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
- Description copied from interface:
RememberMeServices - This method will be called whenever the
SecurityContextHolderdoes not contain anAuthenticationand the Acegi Security system wishes to provide an implementation with an opportunity to authenticate the request using remember-me capabilities. Acegi Security makes no attempt whatsoever to determine whether the browser has requested remember-me services or presented a valid cookie. Such determinations are left to the implementation. If a browser has presented an unauthorised cookie for whatever reason, it should be silently ignored and invalidated using theHttpServletResponseobject.The returned
Authenticationmust be acceptable to org.acegisecurity.AuthenticationManager or org.acegisecurity.providers.AuthenticationProvider defined by the web application. It is recommended org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken be used in most cases, as it has a corresponding authentication provider.- Specified by:
autoLoginin interfaceRememberMeServices
loginFail
public void loginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
- Description copied from interface:
RememberMeServices - Called whenever an interactive authentication attempt was made, but the
credentials supplied by the user were missing or otherwise invalid.
Implementations should invalidate any and all remember-me tokens
indicated in the
HttpServletRequest.- Specified by:
loginFailin interfaceRememberMeServices
loginSuccess
public void loginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.acegisecurity.Authentication successfulAuthentication)
- Description copied from interface:
RememberMeServices - Called whenever an interactive authentication attempt is successful. An
implementation may automatically set a remember-me token in the
HttpServletResponse, although this is not recommended. Instead, implementations should typically look for a request parameter that indicates the browser has presented an explicit request for authentication to be remembered, such as the presence of a HTTP POST parameter.- Specified by:
loginSuccessin interfaceRememberMeServices
makeCancelCookie
protected javax.servlet.http.Cookie makeCancelCookie()
makeValidCookie
protected javax.servlet.http.Cookie makeValidCookie(long expiryTime, java.lang.String tokenValueBase64)
cancelCookie
private void cancelCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String reasonForLog)
|
|||||||||
| Home >> All >> org >> acegisecurity >> ui >> [ rememberme overview ] | PREV CLASS NEXT CLASS | ||||||||
|
SUMMARY: JAVADOC | SOURCE | DOWNLOAD | NESTED | FIELD | CONSTR | METHOD |
DETAIL: FIELD | CONSTR | METHOD | ||||||||