Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.acegisecurity.ui.rememberme
Class TokenBasedRememberMeServices

java.lang.Object
  extended by org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices
All Implemented Interfaces:
RememberMeServices, InitializingBean
public class TokenBasedRememberMeServices
extends Object
implements RememberMeServices, InitializingBean

Identifies previously remembered users by a Base-64 encoded cookie.

This implementation does not rely on an external database, so is attractive for simple applications. The cookie will be valid for a specific period from the date of the last loginSuccess(HttpServletRequest, HttpServletResponse, Authentication). As per the interface contract, this method will only be called when the principal completes a successful interactive authentication. As such the time period commences from the last authentication attempt where they furnished credentials - not the time period they last logged in via remember-me. The implementation will only send a remember-me token if the parameter defined by setParameter(String) is present.

An UserDetailsService is required by this implementation, so that it can construct a valid Authentication from the returned UserDetails. This is also necessary so that the user's password is available and can be checked as part of the encoded cookie.

The cookie encoded by this implementation adopts the following form:

username + ":" + expiryTime + ":" + Md5Hex(username + ":" + expiryTime + ":" + password + ":" + key) .

As such, if the user changes their password any remember-me token will be invalidated. Equally, the system administrator may invalidate every remember-me token on issue by changing the key. This provides some reasonable approaches to recovering from a remember-me token being left on a public machine (eg kiosk system, Internet cafe etc). Most importantly, at no time is the user's password ever sent to the user agent, providing an important security safeguard. Unfortunately the username is necessary in this implementation (as we do not want to rely on a database for remember-me services) and as such high security applications should be aware of this occasionally undesired disclosure of a valid username.

This is a basic remember-me implementation which is suitable for many applications. However, we recommend a database-based implementation if you require a more secure remember-me approach.

By default the tokens will be valid for 14 days from the last successful authentication attempt. This can be changed using #setTokenValiditySeconds(int).

Version:
$Id: TokenBasedRememberMeServices.java,v 1.7 2005/11/30 00:20:12 benalex Exp $
Author:
Ben Alex

Field Summary
static String ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY
           
static String DEFAULT_PARAMETER
           
protected static org.apache.commons.logging.Log logger
           
 
Constructor Summary
TokenBasedRememberMeServices()
           
 
Method Summary
 void afterPropertiesSet()
           
 Authentication autoLogin(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          This method will be called whenever the SecurityContextHolder does not contain an Authentication and the Acegi Security system wishes to provide an implementation with an opportunity to authenticate the request using remember-me capabilities.
 String getKey()
           
 String getParameter()
           
 long getTokenValiditySeconds()
           
 UserDetailsService getUserDetailsService()
           
 void loginFail(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid.
 void loginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
          Called whenever an interactive authentication attempt is successful.
protected  javax.servlet.http.Cookie makeCancelCookie()
           
protected  javax.servlet.http.Cookie makeValidCookie(long expiryTime, String tokenValueBase64)
           
 void setKey(String key)
           
 void setParameter(String parameter)
           
 void setTokenValiditySeconds(long tokenValiditySeconds)
           
 void setUserDetailsService(UserDetailsService authenticationDao)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY

public static final String ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY
See Also:
Constant Field Values

DEFAULT_PARAMETER

public static final String DEFAULT_PARAMETER
See Also:
Constant Field Values

logger

protected static final org.apache.commons.logging.Log logger
Constructor Detail

TokenBasedRememberMeServices

public TokenBasedRememberMeServices()
Method Detail

setUserDetailsService

public void setUserDetailsService(UserDetailsService authenticationDao)

getUserDetailsService

public UserDetailsService getUserDetailsService()

setKey

public void setKey(String key)

getKey

public String getKey()

setParameter

public void setParameter(String parameter)

getParameter

public String getParameter()

setTokenValiditySeconds

public void setTokenValiditySeconds(long tokenValiditySeconds)

getTokenValiditySeconds

public long getTokenValiditySeconds()

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception
Specified by:
afterPropertiesSet in interface InitializingBean
Throws:
Exception

autoLogin

public Authentication autoLogin(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response)
Description copied from interface: RememberMeServices
This method will be called whenever the SecurityContextHolder does not contain an Authentication and the Acegi Security system wishes to provide an implementation with an opportunity to authenticate the request using remember-me capabilities. Acegi Security makes no attempt whatsoever to determine whether the browser has requested remember-me services or presented a valid cookie. Such determinations are left to the implementation. If a browser has presented an unauthorised cookie for whatever reason, it should be silently ignored and invalidated using the HttpServletResponse object.

The returned Authentication must be acceptable to AuthenticationManager or AuthenticationProvider defined by the web application. It is recommended RememberMeAuthenticationToken be used in most cases, as it has a corresponding authentication provider.

Specified by:
autoLogin in interface RememberMeServices
Parameters:
request - to look for a remember-me token within
response - to change, cancel or modify the remember-me token
Returns:
a valid authentication object, or null if the request should not be authenticated

loginFail

public void loginFail(javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)
Description copied from interface: RememberMeServices
Called whenever an interactive authentication attempt was made, but the credentials supplied by the user were missing or otherwise invalid. Implementations should invalidate any and all remember-me tokens indicated in the HttpServletRequest.

Specified by:
loginFail in interface RememberMeServices
Parameters:
request - that contained an invalid authentication request
response - to change, cancel or modify the remember-me token

loginSuccess

public void loginSuccess(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response,
                         Authentication successfulAuthentication)
Description copied from interface: RememberMeServices
Called whenever an interactive authentication attempt is successful. An implementation may automatically set a remember-me token in the HttpServletResponse, although this is not recommended. Instead, implementations should typically look for a request parameter that indicates the browser has presented an explicit request for authentication to be remembered, such as the presence of a HTTP POST parameter.

Specified by:
loginSuccess in interface RememberMeServices
Parameters:
request - that contained the valid authentication request
response - to change, cancel or modify the remember-me token
successfulAuthentication - representing the successfully authenticated principal

makeCancelCookie

protected javax.servlet.http.Cookie makeCancelCookie()

makeValidCookie

protected javax.servlet.http.Cookie makeValidCookie(long expiryTime,
                                                    String tokenValueBase64)
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2004-2005 Acegi Technology Pty Limited. All Rights Reserved.