Package com.flowable.core.spring.security.web.authentication.rememberme

Class FlowablePersistentRememberMeServices

  • All Implemented Interfaces:
    Aware, InitializingBean, MessageSourceAware, LogoutHandler, RememberMeServices
    public class FlowablePersistentRememberMeServices
extends AbstractRememberMeServices
    Custom implementation of Spring Security's RememberMeServices.

    Persistent tokens are used by Spring Security to automatically log in users.

    This is a specific implementation of Spring Security's remember-me authentication, but it is much more powerful than the standard implementations:
    • It allows a user to see the list of his currently opened sessions, and invalidate them
    • It stores more information, such as the IP address and the user agent, for audit purposes
    • When a user logs out, only his current session is invalidated, and not all of his sessions

    This is inspired by:

    The main algorithm comes from Spring Security's PersistentTokenBasedRememberMeServices, but this class couldn't be cleanly extended.

    Author:
    Joram Barrez, Tijs Rademakers, Filip Hrisafov

    • Field Detail

      • SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY

        public static final String SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
        See Also:
        Constant Field Values

      • tokenUserCache

        protected com.github.benmanes.caffeine.cache.Cache<String,​UserDetails> tokenUserCache
        The cache that stores the token id linked with the UserDetails that is linked to the token. It is not by user id since the user should be invalidated when the token is deleted.

    • Method Detail

      • logout

        public void logout​(javax.servlet.http.HttpServletRequest request,
                   javax.servlet.http.HttpServletResponse response,
                   Authentication authentication)
        When logout occurs, only invalidate the current token, and not all user sessions.

        The standard Spring Security implementations are too basic: they invalidate all tokens for the current user, so when he logs out from one browser, all his other sessions are destroyed.

        Specified by:
        logout in interface LogoutHandler
        Overrides:
        logout in class AbstractRememberMeServices

      • getPersistentToken

        protected Token getPersistentToken​(String[] cookieTokens)
        Validate the token and return it.

      • createAndInsertPersistentToken

        public Token createAndInsertPersistentToken​(String userId,
                                            String remoteAddress,
                                            String userAgent)

      • setCookieMaxAge

        public void setCookieMaxAge​(Duration duration)

      • setTokenRefreshDuration

        public void setTokenRefreshDuration​(Duration duration)

      • setStoreUserDetails

        public void setStoreUserDetails​(boolean storeUserDetails)

      • setUserCache

        public void setUserCache​(Duration maxAge,
                         long maxSize)