Class FlowablePersistentRememberMeServices
java.lang.Object
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
com.flowable.core.spring.security.web.authentication.rememberme.FlowablePersistentRememberMeServices
- All Implemented Interfaces:
Aware
,InitializingBean
,MessageSourceAware
,LogoutHandler
,RememberMeServices
Custom implementation of Spring Security's RememberMeServices.
Persistent tokens are used by Spring Security to automatically log in users.
This is a specific implementation of Spring Security's remember-me authentication, but it is much more powerful than the standard implementations:- It allows a user to see the list of his currently opened sessions, and invalidate them
- It stores more information, such as the IP address and the user agent, for audit purposes
- When a user logs out, only his current session is invalidated, and not all of his sessions
This is inspired by:
The main algorithm comes from Spring Security's PersistentTokenBasedRememberMeServices, but this class couldn't be cleanly extended.
- Author:
- Joram Barrez, Tijs Rademakers, Filip Hrisafov
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
protected final PersistentTokenService
static final String
protected com.github.benmanes.caffeine.cache.Cache<String,
UserDetails> The cache that stores the token id linked with theUserDetails
that is linked to the token.Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
logger, messages, TWO_WEEKS_S
-
Constructor Summary
ConstructorDescriptionFlowablePersistentRememberMeServices
(String key, UserDetailsService userDetailsService, PersistentTokenService persistentTokenService) -
Method Summary
Modifier and TypeMethodDescriptionvoid
createAndInsertPersistentToken
(String userId, String remoteAddress, String userAgent) protected Token
getPersistentToken
(String[] cookieTokens) Validate the token and return it.void
logout
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication) When logout occurs, only invalidate the current token, and not all user sessions.protected void
onLoginSuccess
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) protected UserDetails
processAutoLoginCookie
(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) void
setCookieMaxAge
(Duration duration) void
setStoreUserDetails
(boolean storeUserDetails) void
setTokenRefreshDuration
(Duration duration) void
setUserCache
(Duration maxAge, long maxSize) Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookie, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie
-
Field Details
-
SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY
- See Also:
-
DEFAULT_PARAMETER
- See Also:
-
persistentTokenService
-
tokenUserCache
The cache that stores the token id linked with theUserDetails
that is linked to the token. It is not by user id since the user should be invalidated when the token is deleted.
-
-
Constructor Details
-
FlowablePersistentRememberMeServices
public FlowablePersistentRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenService persistentTokenService)
-
-
Method Details
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSet
in interfaceInitializingBean
- Overrides:
afterPropertiesSet
in classAbstractRememberMeServices
-
onLoginSuccess
protected void onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication) - Specified by:
onLoginSuccess
in classAbstractRememberMeServices
-
processAutoLoginCookie
protected UserDetails processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) - Specified by:
processAutoLoginCookie
in classAbstractRememberMeServices
-
logout
public void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication) When logout occurs, only invalidate the current token, and not all user sessions.The standard Spring Security implementations are too basic: they invalidate all tokens for the current user, so when he logs out from one browser, all his other sessions are destroyed.
- Specified by:
logout
in interfaceLogoutHandler
- Overrides:
logout
in classAbstractRememberMeServices
-
getPersistentToken
Validate the token and return it. -
createAndInsertPersistentToken
-
setCookieMaxAge
-
setTokenRefreshDuration
-
setStoreUserDetails
public void setStoreUserDetails(boolean storeUserDetails) -
setUserCache
-