Package com.broadleafcommerce.auth.authorization.security.rememberme.autoconfigure

Class RememberMeLoginAutoConfiguration

java.lang.Object
com.broadleafcommerce.auth.authorization.security.rememberme.autoconfigure.RememberMeLoginAutoConfiguration
@AutoConfiguration @EnableConfigurationProperties(RememberMeLoginProperties.class) @ConditionalOnProperty("broadleaf.auth.login.remember-me.enabled") public class RememberMeLoginAutoConfiguration extends Object
Configuration defining properties and beans relevant for 'Remember Me' functionality.

  • Constructor Details

    • RememberMeLoginAutoConfiguration

      public RememberMeLoginAutoConfiguration()

  • Method Details

    • rememberMeAuthenticationFilter

      @Bean @ConditionalOnMissingBean(org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.class) public BroadleafRememberMeAuthenticationFilter rememberMeAuthenticationFilter(@Qualifier("authorizationServerWebSecurityAuthenticationManager") org.springframework.security.authentication.AuthenticationManager authenticationManager, org.springframework.security.web.authentication.RememberMeServices rememberMeServices, @Qualifier("defaultAuthenticationSuccessHandler") org.springframework.security.web.authentication.AuthenticationSuccessHandler authenticationSuccessHandler, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy, @Autowired(required=false) List<UncaughtRememberMeAuthenticationExceptionHandler> uncaughtRememberMeExceptionHandlers, StatelessUtil statelessUtil, RememberMeLoginProperties rememberMeLoginProperties)

    • rememberMeAuthenticationFilterRegistration

      @Bean @ConditionalOnMissingBean(name="rememberMeAuthenticationFilterRegistration") public org.springframework.boot.web.servlet.FilterRegistrationBean<org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter> rememberMeAuthenticationFilterRegistration(org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter filter)
      Disable automatic Filter registration for RememberMeAuthenticationFilter. It is manually added to security filter chain in RememberMeLoginAuthenticationConfigurer.

      See documentation file "register-security-filters.adoc" for information about how to properly register security filters.

    • rememberMeAuthenticationProvider

      @Bean @ConditionalOnMissingBean(org.springframework.security.authentication.RememberMeAuthenticationProvider.class) public org.springframework.security.authentication.RememberMeAuthenticationProvider rememberMeAuthenticationProvider()

    • rememberMeCookieTheftExceptionHandler

      @Bean @ConditionalOnMissingBean(name="rememberMeCookieTheftExceptionHandler") public RememberMeCookieTheftExceptionHandler rememberMeCookieTheftExceptionHandler(@Qualifier("oAuth2ClientIdForwardRedirectStrategy") org.springframework.security.web.RedirectStrategy oAuth2ClientIdForwardRedirectStrategy)

    • getRememberMeServicesKey

      protected String getRememberMeServicesKey()

      This key is used in RememberMeAuthenticationFilter and RememberMeAuthenticationProvider for issuing/validating RememberMeAuthenticationToken. The RememberMeAuthenticationFilter delegates to RememberMeServices.autoLogin(HttpServletRequest, HttpServletResponse) to validate the overall request and then (if valid) generate the RememberMeAuthenticationToken with this key value. Then, the RememberMeAuthenticationProvider will validate that the key value in the RememberMeAuthenticationToken is the same before returning success.

      The 'persistent token approach' components like PersistentTokenBasedRememberMeServices/BroadleafPersistentTokenRememberMeServices do not make any meaningful use of the key. It's not part of the persisted token, nor is it taken as input anywhere. It is only relevant for the 'simple hash based token approach' (TokenBasedRememberMeServices), which we are not using. Thus, we can safely generate the value to something random on each startup, similar to what getKey() in RememberMeConfigurer does already by default.

      Returns:
      the key to share between RememberMeAuthenticationProvider and PersistentTokenBasedRememberMeServices

    • rememberMeUserDetailsServiceProvider

      @Bean @ConditionalOnMissingBean public RememberMeUserDetailsServiceProvider rememberMeUserDetailsServiceProvider(OAuth2UserDetailsService oAuth2UserDetailsService, ContextHelperService contextHelperService)

    • rememberMePersistentTokenRepository

      @Bean @ConditionalOnMissingBean(org.springframework.security.web.authentication.rememberme.PersistentTokenRepository.class) public BroadleafPersistentTokenRepository rememberMePersistentTokenRepository(RememberMeTokenEntityRepository<JpaPersistentRememberMeToken> rememberMeTokenEntityRepository, com.broadleafcommerce.common.extension.TypeFactory typeFactory)

    • rememberMeLogoutHandlerDelegate

      @Bean @ConditionalOnMissingBean public RememberMeLogoutHandlerDelegate rememberMeLogoutHandlerDelegate(RememberMeCookieUtility rememberMeCookieUtility, RememberMeLoginProperties rememberMeLoginProperties, BroadleafPersistentTokenRememberMeServices persistentTokenRememberMeServices, RememberMeTokenEntityRepository<?> rememberMeTokenEntityRepository)

    • rememberMeLoginAuthenticationStrategyDelegate

      @Bean @ConditionalOnMissingBean public RememberMeLoginAuthenticationStrategyDelegate rememberMeLoginAuthenticationStrategyDelegate()

    • rememberMeCookieUtility

      @Bean @ConditionalOnMissingBean public RememberMeCookieUtility rememberMeCookieUtility(RememberMeLoginProperties rememberMeLoginProperties)

    • rememberMeAvailableHeaderFilter

      @Bean @ConditionalOnMissingBean public RememberMeAvailableHeaderFilter rememberMeAvailableHeaderFilter(org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings authorizationServerSettings, RememberMeCookieUtility rememberMeCookieUtility, AuthorizedClientService<AuthorizedClient> authorizedClientService, AuthorizationServerService<AuthorizationServer> authorizationServerService, RememberMeLoginProperties rememberMeLoginProperties)

    • rememberMeAvailableHeaderFilterRegistration

      @Bean @ConditionalOnMissingBean(name="rememberMeAvailableHeaderFilterRegistration") public org.springframework.boot.web.servlet.FilterRegistrationBean<RememberMeAvailableHeaderFilter> rememberMeAvailableHeaderFilterRegistration(RememberMeAvailableHeaderFilter filter)

      Configure Filter registration for RememberMeAvailableHeaderFilter. This is not a 'security' filter, and actually applies to paths covered by different security filter chains. Thus, instead of registering it individually with each of those security filter chains, we register it globally here.

      By default, because it applies to AuthorizationServerSettings.getTokenEndpoint(), it needs to engage before the OAuth2TokenEndpointFilter (which will skip the remainder of the filter chain). Thus, it needs to be set at a higher priority than the 'authorizationServerSecurityFilterChain' in SpringAuthorizationServerComponentsConfiguration.