org.activiti.app.security

Class CustomPersistentRememberMeServices

java.lang.Object

org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

org.activiti.app.security.CustomPersistentRememberMeServices

All Implemented Interfaces:

CustomRememberMeService, org.springframework.beans.factory.InitializingBean, org.springframework.security.web.authentication.logout.LogoutHandler, org.springframework.security.web.authentication.RememberMeServices

@Service
public class CustomPersistentRememberMeServices
extends org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
implements CustomRememberMeService

Custom implementation of Spring Security's RememberMeServices.

Persistent tokens are used by Spring Security to automatically log in users.

This is a specific implementation of Spring Security's remember-me authentication, but it is much more powerful than the standard implementations:

• It allows a user to see the list of his currently opened sessions, and invalidate them
• It stores more information, such as the IP address and the user agent, for audit purposes
• When a user logs out, only his current session is invalidated, and not all of his sessions

This is inspired by:

• Improved Persistent Login Cookie Best Practice
• Github's "Modeling your App's User Session"

The main algorithm comes from Spring Security's PersistentTokenBasedRememberMeServices, but this class couldn't be cleanly extended.

Field Summary

Fields

Modifier and Type	Field and Description
static String	COOKIE_NAME

Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S

Constructor Summary

Constructors

Constructor and Description
CustomPersistentRememberMeServices(org.springframework.core.env.Environment env, org.springframework.security.core.userdetails.UserDetailsService userDetailsService)

Method Summary

Modifier and Type	Method and Description
PersistentToken	createAndInsertPersistentToken(User user, String remoteAddress, String userAgent)
void	logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication) When logout occurs, only invalidate the current token, and not all user sessions.
protected void	onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)
protected org.springframework.security.core.userdetails.UserDetails	processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
protected void	setCookie(String[] tokens, int maxAge, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)

Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

afterPropertiesSet, autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookieName, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

COOKIE_NAME

public static final String COOKIE_NAME

See Also:

Constant Field Values

Constructor Detail

CustomPersistentRememberMeServices

@Autowired
public CustomPersistentRememberMeServices(org.springframework.core.env.Environment env,
                                                     org.springframework.security.core.userdetails.UserDetailsService userDetailsService)

Method Detail

onLoginSuccess

protected void onLoginSuccess(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response,
                              org.springframework.security.core.Authentication successfulAuthentication)

Specified by:

onLoginSuccess in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

processAutoLoginCookie

@Transactional
protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie(String[] cookieTokens,
                                                                                                          javax.servlet.http.HttpServletRequest request,
                                                                                                          javax.servlet.http.HttpServletResponse response)

Specified by:

processAutoLoginCookie in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

logout

@Transactional
public void logout(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  org.springframework.security.core.Authentication authentication)

When logout occurs, only invalidate the current token, and not all user sessions.

The standard Spring Security implementations are too basic: they invalidate all tokens for the current user, so when he logs out from one browser, all his other sessions are destroyed.

Specified by:

logout in interface org.springframework.security.web.authentication.logout.LogoutHandler

Overrides:

logout in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

setCookie

protected void setCookie(String[] tokens,
                         int maxAge,
                         javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)

Overrides:

setCookie in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

createAndInsertPersistentToken

public PersistentToken createAndInsertPersistentToken(User user,
                                                      String remoteAddress,
                                                      String userAgent)

Specified by:

createAndInsertPersistentToken in interface CustomRememberMeService