Package com.flowable.core.spring.security.web.authentication.rememberme

Class FlowablePersistentRememberMeServices

java.lang.Object
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
com.flowable.core.spring.security.web.authentication.rememberme.FlowablePersistentRememberMeServices
All Implemented Interfaces:
Aware, InitializingBean, MessageSourceAware, LogoutHandler, RememberMeServices
public class FlowablePersistentRememberMeServices extends AbstractRememberMeServices
Custom implementation of Spring Security's RememberMeServices.

Persistent tokens are used by Spring Security to automatically log in users.

This is a specific implementation of Spring Security's remember-me authentication, but it is much more powerful than the standard implementations:
  • It allows a user to see the list of his currently opened sessions, and invalidate them
  • It stores more information, such as the IP address and the user agent, for audit purposes
  • When a user logs out, only his current session is invalidated, and not all of his sessions

This is inspired by:

The main algorithm comes from Spring Security's PersistentTokenBasedRememberMeServices, but this class couldn't be cleanly extended.

Author:
Joram Barrez, Tijs Rademakers, Filip Hrisafov

  • Field Details

    • DEFAULT_PARAMETER

      public static final String DEFAULT_PARAMETER
      See Also:

    • persistentTokenService

      protected final PersistentTokenService persistentTokenService

    • tokenUserCache

      protected com.github.benmanes.caffeine.cache.Cache<String,UserDetails> tokenUserCache
      The cache that stores the token id linked with the UserDetails that is linked to the token. It is not by user id since the user should be invalidated when the token is deleted.

  • Constructor Details

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface InitializingBean
      Overrides:
      afterPropertiesSet in class AbstractRememberMeServices

    • onLoginSuccess

      protected void onLoginSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication successfulAuthentication)
      Specified by:
      onLoginSuccess in class AbstractRememberMeServices

    • processAutoLoginCookie

      protected UserDetails processAutoLoginCookie(String[] cookieTokens, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Specified by:
      processAutoLoginCookie in class AbstractRememberMeServices

    • logout

      public void logout(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Authentication authentication)
      When logout occurs, only invalidate the current token, and not all user sessions.

      The standard Spring Security implementations are too basic: they invalidate all tokens for the current user, so when he logs out from one browser, all his other sessions are destroyed.

      Specified by:
      logout in interface LogoutHandler
      Overrides:
      logout in class AbstractRememberMeServices

    • getPersistentToken

      protected Token getPersistentToken(String[] cookieTokens)
      Validate the token and return it.

    • createAndInsertPersistentToken

      public Token createAndInsertPersistentToken(String userId, String remoteAddress, String userAgent)

    • setCookieMaxAge

      public void setCookieMaxAge(Duration duration)

    • setTokenRefreshDuration

      public void setTokenRefreshDuration(Duration duration)

    • setStoreUserDetails

      public void setStoreUserDetails(boolean storeUserDetails)

    • setUserCache

      public void setUserCache(Duration maxAge, long maxSize)