Class BroadleafPersistentTokenRememberMeServices
java.lang.Object
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
com.broadleafcommerce.auth.authorization.security.rememberme.service.BroadleafPersistentTokenRememberMeServices
- All Implemented Interfaces:
org.springframework.beans.factory.Aware,org.springframework.beans.factory.InitializingBean,org.springframework.context.MessageSourceAware,org.springframework.security.web.authentication.logout.LogoutHandler,org.springframework.security.web.authentication.RememberMeServices
public class BroadleafPersistentTokenRememberMeServices
extends org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
An extension of Spring's PersistentTokenBasedRememberMeServices implementation with
adaptations particular to Broadleaf's requirements.
A major difference from the base implementation is that Broadleaf maintains distinct remember me
cookies for each AuthorizedClient/AuthorizationServer rather than a single cookie
for the entire system.
-
Field Summary
Fields inherited from class org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
DEFAULT_SERIES_LENGTH, DEFAULT_TOKEN_LENGTHFields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S -
Constructor Summary
ConstructorsConstructorDescriptionBroadleafPersistentTokenRememberMeServices(String key, org.springframework.security.core.userdetails.UserDetailsService userDetailsService, org.springframework.security.web.authentication.rememberme.PersistentTokenRepository tokenRepository, RememberMeLoginProperties rememberMeLoginProperties, ContextHelperService contextHelperService, RememberMeCookieUtility rememberMeCookieUtility, AuthorizedClientService<AuthorizedClient> authorizedClientService, AuthorizationServerService<AuthorizationServer> authorizationServerService) -
Method Summary
Modifier and TypeMethodDescriptionprotected voidcancelCookie(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) protected StringextractRememberMeCookie(jakarta.servlet.http.HttpServletRequest request) We use distinct cookies for eachAuthorizedClient/AuthorizationServer, so we cannot use the base implementation, which relies on the single/centralizedAbstractRememberMeServices.setCookieName(String)/AbstractRememberMeServices.getCookieName().extractSeries(String rawCookieValue) Helper method to allow components outside of this one get thePersistentRememberMeToken.getSeries()value from a raw cookie value.protected AuthorizedClientfindClient(String clientId) protected AuthorizationServerfindServer(AuthorizedClient client) protected AuthorizationServerService<AuthorizationServer>protected AuthorizedClientService<AuthorizedClient>protected ContextHelperServiceprotected RememberMeCookieUtilityprotected RememberMeLoginPropertiesvoidlogout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication) This method implementsLogoutHandlerin the base class, but it should never be called because we don't ever register this component itself as a formalLogoutHandlerin the main security filter chain.protected voidsetCookie(String[] tokens, int maxAge, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Methods inherited from class org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices
generateSeriesData, generateTokenData, onLoginSuccess, processAutoLoginCookie, setSeriesLength, setTokenLength, setTokenValiditySecondsMethods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
afterPropertiesSet, autoLogin, createSuccessfulAuthentication, decodeCookie, encodeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookieDomain, setCookieName, setMessageSource, setParameter, setUserDetailsChecker, setUseSecureCookie
-
Constructor Details
-
BroadleafPersistentTokenRememberMeServices
public BroadleafPersistentTokenRememberMeServices(String key, org.springframework.security.core.userdetails.UserDetailsService userDetailsService, org.springframework.security.web.authentication.rememberme.PersistentTokenRepository tokenRepository, RememberMeLoginProperties rememberMeLoginProperties, ContextHelperService contextHelperService, RememberMeCookieUtility rememberMeCookieUtility, AuthorizedClientService<AuthorizedClient> authorizedClientService, AuthorizationServerService<AuthorizationServer> authorizationServerService)
-
-
Method Details
-
extractRememberMeCookie
We use distinct cookies for eachAuthorizedClient/AuthorizationServer, so we cannot use the base implementation, which relies on the single/centralizedAbstractRememberMeServices.setCookieName(String)/AbstractRememberMeServices.getCookieName(). Use this method instead.- Overrides:
extractRememberMeCookiein classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices- Parameters:
request- the submitted request which is to be authenticated- Returns:
- the name of the remember me cookie to use for the current request
-
findClient
-
findServer
-
cancelCookie
protected void cancelCookie(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) - Overrides:
cancelCookiein classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
setCookie
protected void setCookie(String[] tokens, int maxAge, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) - Overrides:
setCookiein classorg.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
logout
public void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication) This method implements
LogoutHandlerin the base class, but it should never be called because we don't ever register this component itself as a formalLogoutHandlerin the main security filter chain. Instead, we expect to useRememberMeLogoutHandlerDelegate, engaged by a different handler.Nonetheless, even though we never expect this method to be called, we override this method's implementation to be a no-op just to be explicitly clear that we don't want to engage any logout logic here.
- Specified by:
logoutin interfaceorg.springframework.security.web.authentication.logout.LogoutHandler- Overrides:
logoutin classorg.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices- Parameters:
request- the HTTP requestresponse- the HTTP responseauthentication- the current principal details- See Also:
-
extractSeries
Helper method to allow components outside of this one get thePersistentRememberMeToken.getSeries()value from a raw cookie value.- Parameters:
rawCookieValue- the raw, encoded cookie value that was presented by the request- Returns:
- the
PersistentRememberMeToken.getSeries()from that value - Throws:
org.springframework.security.web.authentication.rememberme.InvalidCookieException- if something was wrong with the cookie value
-
getRememberMeLoginProperties
-
getContextHelperService
-
getRememberMeCookieUtility
-
getAuthorizedClientService
-
getAuthorizationServerService
-