org.powertac.visualizer.security

Class PersistentTokenRememberMeServices

java.lang.Object

org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

org.powertac.visualizer.security.PersistentTokenRememberMeServices

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, org.springframework.security.web.authentication.logout.LogoutHandler, org.springframework.security.web.authentication.RememberMeServices

@Service
public class PersistentTokenRememberMeServices
extends org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

Custom implementation of Spring Security's RememberMeServices.

Persistent tokens are used by Spring Security to automatically log in users.

This is a specific implementation of Spring Security's remember-me authentication, but it is much more powerful than the standard implementations:

• It allows a user to see the list of his currently opened sessions, and invalidate them
• It stores more information, such as the IP address and the user agent, for audit purposes
• When a user logs out, only his current session is invalidated, and not all of his sessions

This is inspired by:

• Improved Persistent Login Cookie Best Practice
• Github's "Modeling your App's User Session"

The main algorithm comes from Spring Security's PersistentTokenBasedRememberMeServices, but this class couldn't be cleanly extended.

Field Summary

Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S

Constructor Summary

Constructors

Constructor and Description
PersistentTokenRememberMeServices(io.github.jhipster.config.JHipsterProperties jHipsterProperties, org.springframework.security.core.userdetails.UserDetailsService userDetailsService, PersistentTokenRepository persistentTokenRepository, UserRepository userRepository)

Method Summary

Modifier and Type	Method and Description
void	logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication) When logout occurs, only invalidate the current token, and not all user sessions.
protected void	onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)
protected org.springframework.security.core.userdetails.UserDetails	processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)

Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

afterPropertiesSet, autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PersistentTokenRememberMeServices

public PersistentTokenRememberMeServices(io.github.jhipster.config.JHipsterProperties jHipsterProperties,
                                         org.springframework.security.core.userdetails.UserDetailsService userDetailsService,
                                         PersistentTokenRepository persistentTokenRepository,
                                         UserRepository userRepository)

Method Detail

processAutoLoginCookie

protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie(String[] cookieTokens,
                                                                                           javax.servlet.http.HttpServletRequest request,
                                                                                           javax.servlet.http.HttpServletResponse response)

Specified by:

processAutoLoginCookie in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

onLoginSuccess

protected void onLoginSuccess(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response,
                              org.springframework.security.core.Authentication successfulAuthentication)

Specified by:

onLoginSuccess in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

logout

@Transactional
public void logout(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  org.springframework.security.core.Authentication authentication)

When logout occurs, only invalidate the current token, and not all user sessions.

The standard Spring Security implementations are too basic: they invalidate all tokens for the current user, so when he logs out from one browser, all his other sessions are destroyed.

Specified by:

logout in interface org.springframework.security.web.authentication.logout.LogoutHandler

Overrides:

logout in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices