Interface RememberMeServices
- All Known Implementing Classes:
AbstractRememberMeServices
,NullRememberMeServices
,PersistentTokenBasedRememberMeServices
,TokenBasedRememberMeServices
Spring Security filters (namely
AbstractAuthenticationProcessingFilter
and
RememberMeAuthenticationFilter
will call the methods provided by an implementation of
this interface.
Implementations may implement any type of remember-me capability they wish. Rolling cookies (as per https://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice) can be used, as can simple implementations that don't require a persistent store. Implementations also determine the validity period of a remember-me cookie. This interface has been designed to accommodate any of these remember-me models.
This interface does not define how remember-me services should offer a "cancel all remember-me tokens" type capability, as this will be implementation specific and requires no hooks into Spring Security.
-
Method Summary
Modifier and TypeMethodDescriptionautoLogin
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) This method will be called whenever theSecurityContextHolder
does not contain anAuthentication
object and Spring Security wishes to provide an implementation with an opportunity to authenticate the request using remember-me capabilities.void
loginFail
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid.void
loginSuccess
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Called whenever an interactive authentication attempt is successful.
-
Method Details
-
autoLogin
Authentication autoLogin(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) This method will be called whenever theSecurityContextHolder
does not contain anAuthentication
object and Spring Security wishes to provide an implementation with an opportunity to authenticate the request using remember-me capabilities. Spring Security makes no attempt whatsoever to determine whether the browser has requested remember-me services or presented a valid cookie. Such determinations are left to the implementation. If a browser has presented an unauthorised cookie for whatever reason, it should be silently ignored and invalidated using theHttpServletResponse
object.The returned
Authentication
must be acceptable toAuthenticationManager
orAuthenticationProvider
defined by the web application. It is recommendedRememberMeAuthenticationToken
be used in most cases, as it has a corresponding authentication provider.- Parameters:
request
- to look for a remember-me token withinresponse
- to change, cancel or modify the remember-me token- Returns:
- a valid authentication object, or
null
if the request should not be authenticated
-
loginFail
void loginFail(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. Implementations should invalidate any and all remember-me tokens indicated in theHttpServletRequest
.- Parameters:
request
- that contained an invalid authentication requestresponse
- to change, cancel or modify the remember-me token
-
loginSuccess
void loginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) Called whenever an interactive authentication attempt is successful. An implementation may automatically set a remember-me token in theHttpServletResponse
, although this is not recommended. Instead, implementations should typically look for a request parameter that indicates the browser has presented an explicit request for authentication to be remembered, such as the presence of a HTTP POST parameter.- Parameters:
request
- that contained the valid authentication requestresponse
- to change, cancel or modify the remember-me tokensuccessfulAuthentication
- representing the successfully authenticated principal
-