Class FlowablePersistentRememberMeServices
- java.lang.Object
-
- org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-
- com.flowable.core.spring.security.web.authentication.rememberme.FlowablePersistentRememberMeServices
-
- All Implemented Interfaces:
Aware
,InitializingBean
,MessageSourceAware
,LogoutHandler
,RememberMeServices
public class FlowablePersistentRememberMeServices extends AbstractRememberMeServices
Custom implementation of Spring Security's RememberMeServices.Persistent tokens are used by Spring Security to automatically log in users.
This is a specific implementation of Spring Security's remember-me authentication, but it is much more powerful than the standard implementations:- It allows a user to see the list of his currently opened sessions, and invalidate them
- It stores more information, such as the IP address and the user agent, for audit purposes
- When a user logs out, only his current session is invalidated, and not all of his sessions
This is inspired by:
The main algorithm comes from Spring Security's PersistentTokenBasedRememberMeServices, but this class couldn't be cleanly extended.
- Author:
- Joram Barrez, Tijs Rademakers, Filip Hrisafov
-
-
Field Summary
Fields Modifier and Type Field Description static String
DEFAULT_PARAMETER
protected PersistentTokenService
persistentTokenService
static String
SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
protected com.github.benmanes.caffeine.cache.Cache<String,UserDetails>
tokenUserCache
The cache that stores the token id linked with theUserDetails
that is linked to the token.-
Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
logger, messages, TWO_WEEKS_S
-
-
Constructor Summary
Constructors Constructor Description FlowablePersistentRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenService persistentTokenService)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterPropertiesSet()
Token
createAndInsertPersistentToken(String userId, String remoteAddress, String userAgent)
protected Token
getPersistentToken(String[] cookieTokens)
Validate the token and return it.void
logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
When logout occurs, only invalidate the current token, and not all user sessions.protected void
onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
protected UserDetails
processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
void
setCookieMaxAge(Duration duration)
void
setStoreUserDetails(boolean storeUserDetails)
void
setTokenRefreshDuration(Duration duration)
void
setUserCache(Duration maxAge, long maxSize)
-
Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie
-
-
-
-
Field Detail
-
SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
- See Also:
- Constant Field Values
-
DEFAULT_PARAMETER
public static final String DEFAULT_PARAMETER
- See Also:
- Constant Field Values
-
persistentTokenService
protected final PersistentTokenService persistentTokenService
-
tokenUserCache
protected com.github.benmanes.caffeine.cache.Cache<String,UserDetails> tokenUserCache
The cache that stores the token id linked with theUserDetails
that is linked to the token. It is not by user id since the user should be invalidated when the token is deleted.
-
-
Constructor Detail
-
FlowablePersistentRememberMeServices
public FlowablePersistentRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenService persistentTokenService)
-
-
Method Detail
-
afterPropertiesSet
public void afterPropertiesSet()
- Specified by:
afterPropertiesSet
in interfaceInitializingBean
- Overrides:
afterPropertiesSet
in classAbstractRememberMeServices
-
onLoginSuccess
protected void onLoginSuccess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
- Specified by:
onLoginSuccess
in classAbstractRememberMeServices
-
processAutoLoginCookie
protected UserDetails processAutoLoginCookie(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
- Specified by:
processAutoLoginCookie
in classAbstractRememberMeServices
-
logout
public void logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
When logout occurs, only invalidate the current token, and not all user sessions.The standard Spring Security implementations are too basic: they invalidate all tokens for the current user, so when he logs out from one browser, all his other sessions are destroyed.
- Specified by:
logout
in interfaceLogoutHandler
- Overrides:
logout
in classAbstractRememberMeServices
-
getPersistentToken
protected Token getPersistentToken(String[] cookieTokens)
Validate the token and return it.
-
createAndInsertPersistentToken
public Token createAndInsertPersistentToken(String userId, String remoteAddress, String userAgent)
-
setCookieMaxAge
public void setCookieMaxAge(Duration duration)
-
setTokenRefreshDuration
public void setTokenRefreshDuration(Duration duration)
-
setStoreUserDetails
public void setStoreUserDetails(boolean storeUserDetails)
-
setUserCache
public void setUserCache(Duration maxAge, long maxSize)
-
-