Class AbstractRememberMeServices
java.lang.Object
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.MessageSourceAware
,LogoutHandler
,RememberMeServices
- Direct Known Subclasses:
PersistentTokenBasedRememberMeServices
,TokenBasedRememberMeServices
public abstract class AbstractRememberMeServices
extends Object
implements RememberMeServices, org.springframework.beans.factory.InitializingBean, LogoutHandler, org.springframework.context.MessageSourceAware
Base class for RememberMeServices implementations.
- Since:
- 2.0
-
Field Summary
-
Constructor Summary
ModifierConstructorDescriptionprotected
AbstractRememberMeServices
(String key, UserDetailsService userDetailsService) -
Method Summary
Modifier and TypeMethodDescriptionvoid
final Authentication
autoLogin
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Template implementation which locates the Spring Security cookie, decodes it into a delimited array of tokens and submits it to subclasses for processing via the processAutoLoginCookie method.protected void
cancelCookie
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins.protected Authentication
createSuccessfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, UserDetails user) Creates the final Authentication object returned from the autoLogin method.protected String[]
decodeCookie
(String cookieValue) Decodes the cookie and splits it into a set of token strings using the ":" delimiter.protected String
encodeCookie
(String[] cookieTokens) Inverse operation of decodeCookie.protected String
extractRememberMeCookie
(jakarta.servlet.http.HttpServletRequest request) Locates the Spring Security remember me cookie in the request and returns its value.protected AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,
?> protected String
getKey()
protected int
protected UserDetailsService
final void
loginFail
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid.final void
loginSuccess
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Called whenever an interactive authentication attempt is successful.void
logout
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication) Implementation ofLogoutHandler
.protected void
onLoginFail
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) protected abstract void
onLoginSuccess
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Called from loginSuccess when a remember-me login has been requested.protected abstract UserDetails
processAutoLoginCookie
(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Called from autoLogin to process the submitted persistent login cookie.protected boolean
rememberMeRequested
(jakarta.servlet.http.HttpServletRequest request, String parameter) Allows customization of whether a remember-me login has been requested.void
setAlwaysRemember
(boolean alwaysRemember) void
setAuthenticationDetailsSource
(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) void
setAuthoritiesMapper
(GrantedAuthoritiesMapper authoritiesMapper) protected void
setCookie
(String[] tokens, int maxAge, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Sets the cookie on the response.void
setCookieDomain
(String cookieDomain) void
setCookieName
(String cookieName) void
setMessageSource
(org.springframework.context.MessageSource messageSource) void
setParameter
(String parameter) Sets the name of the parameter which should be checked for to see if a remember-me has been requested during a login request.void
setTokenValiditySeconds
(int tokenValiditySeconds) void
setUserDetailsChecker
(UserDetailsChecker userDetailsChecker) Sets the strategy to be used to validate theUserDetails
object obtained for the user when processing a remember-me cookie to automatically log in a user.void
setUseSecureCookie
(boolean useSecureCookie) Whether the cookie should be flagged as secure or not.
-
Field Details
-
SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
- See Also:
-
DEFAULT_PARAMETER
- See Also:
-
TWO_WEEKS_S
public static final int TWO_WEEKS_S- See Also:
-
logger
protected final org.apache.commons.logging.Log logger -
messages
protected org.springframework.context.support.MessageSourceAccessor messages
-
-
Constructor Details
-
AbstractRememberMeServices
-
-
Method Details
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
-
autoLogin
public final Authentication autoLogin(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Template implementation which locates the Spring Security cookie, decodes it into a delimited array of tokens and submits it to subclasses for processing via the processAutoLoginCookie method.The returned username is then used to load the UserDetails object for the user, which in turn is used to create a valid authentication token.
- Specified by:
autoLogin
in interfaceRememberMeServices
- Parameters:
request
- to look for a remember-me token withinresponse
- to change, cancel or modify the remember-me token- Returns:
- a valid authentication object, or
null
if the request should not be authenticated
-
extractRememberMeCookie
Locates the Spring Security remember me cookie in the request and returns its value. The cookie is searched for by name and also by matching the context path to the cookie path.- Parameters:
request
- the submitted request which is to be authenticated- Returns:
- the cookie value (if present), null otherwise.
-
createSuccessfulAuthentication
protected Authentication createSuccessfulAuthentication(jakarta.servlet.http.HttpServletRequest request, UserDetails user) Creates the final Authentication object returned from the autoLogin method.By default it will create a RememberMeAuthenticationToken instance.
- Parameters:
request
- the original request. The configured AuthenticationDetailsSource will use this to build the details property of the returned object.user
- the UserDetails loaded from the UserDetailsService. This will be stored as the principal.- Returns:
- the Authentication for the remember-me authenticated user
-
decodeCookie
Decodes the cookie and splits it into a set of token strings using the ":" delimiter.- Parameters:
cookieValue
- the value obtained from the submitted cookie- Returns:
- the array of tokens.
- Throws:
InvalidCookieException
- if the cookie was not base64 encoded.
-
encodeCookie
Inverse operation of decodeCookie.- Parameters:
cookieTokens
- the tokens to be encoded.- Returns:
- base64 encoding of the tokens concatenated with the ":" delimiter.
-
loginFail
public final void loginFail(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Description copied from interface:RememberMeServices
Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. Implementations should invalidate any and all remember-me tokens indicated in theHttpServletRequest
.- Specified by:
loginFail
in interfaceRememberMeServices
- Parameters:
request
- that contained an invalid authentication requestresponse
- to change, cancel or modify the remember-me token
-
onLoginFail
protected void onLoginFail(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) -
loginSuccess
public final void loginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Called whenever an interactive authentication attempt is successful. An implementation may automatically set a remember-me token in theHttpServletResponse
, although this is not recommended. Instead, implementations should typically look for a request parameter that indicates the browser has presented an explicit request for authentication to be remembered, such as the presence of a HTTP POST parameter.Examines the incoming request and checks for the presence of the configured "remember me" parameter. If it's present, or if alwaysRemember is set to true, calls onLoginSucces.
- Specified by:
loginSuccess
in interfaceRememberMeServices
- Parameters:
request
- that contained the valid authentication requestresponse
- to change, cancel or modify the remember-me tokensuccessfulAuthentication
- representing the successfully authenticated principal
-
onLoginSuccess
protected abstract void onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Called from loginSuccess when a remember-me login has been requested. Typically implemented by subclasses to set a remember-me cookie and potentially store a record of it if the implementation requires this. -
rememberMeRequested
protected boolean rememberMeRequested(jakarta.servlet.http.HttpServletRequest request, String parameter) Allows customization of whether a remember-me login has been requested. The default is to return true if alwaysRemember is set or the configured parameter name has been included in the request and is set to the value "true".- Parameters:
request
- the request submitted from an interactive login, which may include additional information indicating that a persistent login is desired.parameter
- the configured remember-me parameter name.- Returns:
- true if the request includes information indicating that a persistent login has been requested.
-
processAutoLoginCookie
protected abstract UserDetails processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws RememberMeAuthenticationException, UsernameNotFoundException Called from autoLogin to process the submitted persistent login cookie. Subclasses should validate the cookie and perform any additional management required.- Parameters:
cookieTokens
- the decoded and tokenized cookie valuerequest
- the requestresponse
- the response, to allow the cookie to be modified if required.- Returns:
- the UserDetails for the corresponding user account if the cookie was validated successfully.
- Throws:
RememberMeAuthenticationException
- if the cookie is invalid or the login is invalid for some other reason.UsernameNotFoundException
- if the user account corresponding to the login cookie couldn't be found (for example if the user has been removed from the system).
-
cancelCookie
protected void cancelCookie(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Sets a "cancel cookie" (with maxAge = 0) on the response to disable persistent logins. -
setCookie
protected void setCookie(String[] tokens, int maxAge, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Sets the cookie on the response. By default a secure cookie will be used if the connection is secure. You can set theuseSecureCookie
property tofalse
to override this. If you set it totrue
, the cookie will always be flagged as secure. By default the cookie will be marked as HttpOnly.- Parameters:
tokens
- the tokens which will be encoded to make the cookie value.maxAge
- the value passed toCookie.setMaxAge(int)
request
- the requestresponse
- the response to add the cookie to.
-
logout
public void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication) Implementation ofLogoutHandler
. Default behaviour is to callcancelCookie()
.- Specified by:
logout
in interfaceLogoutHandler
- Parameters:
request
- the HTTP requestresponse
- the HTTP responseauthentication
- the current principal details
-
setCookieName
-
setCookieDomain
-
getCookieName
-
setAlwaysRemember
public void setAlwaysRemember(boolean alwaysRemember) -
setParameter
Sets the name of the parameter which should be checked for to see if a remember-me has been requested during a login request. This should be the same name you assign to the checkbox in your login form.- Parameters:
parameter
- the HTTP request parameter
-
getParameter
-
getUserDetailsService
-
getKey
-
setTokenValiditySeconds
public void setTokenValiditySeconds(int tokenValiditySeconds) -
getTokenValiditySeconds
protected int getTokenValiditySeconds() -
setUseSecureCookie
public void setUseSecureCookie(boolean useSecureCookie) Whether the cookie should be flagged as secure or not. Secure cookies can only be sent over an HTTPS connection and thus cannot be accidentally submitted over HTTP where they could be intercepted.By default the cookie will be secure if the request is secure. If you only want to use remember-me over HTTPS (recommended) you should set this property to
true
.- Parameters:
useSecureCookie
- set totrue
to always user secure cookies,false
to disable their use.
-
getAuthenticationDetailsSource
protected AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,?> getAuthenticationDetailsSource() -
setAuthenticationDetailsSource
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?> authenticationDetailsSource) -
setUserDetailsChecker
Sets the strategy to be used to validate theUserDetails
object obtained for the user when processing a remember-me cookie to automatically log in a user.- Parameters:
userDetailsChecker
- the strategy which will be passed the user object to allow it to be rejected if account should not be allowed to authenticate (if it is locked, for example). Defaults to aAccountStatusUserDetailsChecker
instance.
-
setAuthoritiesMapper
-
setMessageSource
public void setMessageSource(org.springframework.context.MessageSource messageSource) - Specified by:
setMessageSource
in interfaceorg.springframework.context.MessageSourceAware
- Since:
- 5.5
-