Examples of org.springframework.security.core.token.KeyBasedPersistenceTokenService

Package org.springframework.security.core.token

Examples of org.springframework.security.core.token.KeyBasedPersistenceTokenService

org.springframework.security.core.token.KeyBasedPersistenceTokenService
Basic implementation of {@link TokenService} that is compatible with clusters and across machine restarts,without requiring database persistence.
Keys are produced in the format:

Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )

In the above, creationTime, tokenKey and extendedInformation are equal to that stored in {@link Token}. The Sha512Hex includes the same payload, plus a serverSecret.

The serverSecret varies every millisecond. It relies on two static server-side secrets. The first is a password, and the second is a server integer. Both of these must remain the same for any issued keys to subsequently be recognised. The applicable serverSecret in any millisecond is computed by password + ":" + (creationTime % serverInteger). This approach further obfuscates the actual server secret and renders attempts to compute the server secret more limited in usefulness (as any false tokens would be forced to have a creationTime equal to the computed hash). Recall that framework features depending on token services should reject tokens that are relatively old in any event.

A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers. To this end, the use of {@link SecureRandomFactoryBean} is recommended to inject the property.

This implementation uses UTF-8 encoding internally for string manipulation.
@author Ben Alex

 */
public class KeyBasedPersistenceTokenServiceTests {


    private KeyBasedPersistenceTokenService getService() {
        SecureRandomFactoryBean fb = new SecureRandomFactoryBean();
        KeyBasedPersistenceTokenService service = new KeyBasedPersistenceTokenService();
        service.setServerSecret("MY:SECRET$$$#");
        service.setServerInteger(Integer.valueOf(454545));
        try {
            SecureRandom rnd = (SecureRandom) fb.getObject();
            service.setSecureRandom(rnd);
            service.afterPropertiesSet();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
        return service;
    }

View Full Code Here

        return service;
    }


    @Test
    public void testOperationWithSimpleExtendedInformation() {
        KeyBasedPersistenceTokenService service = getService();
        Token token = service.allocateToken("Hello world");
        Token result = service.verifyToken(token.getKey());
        Assert.assertEquals(token, result);
    }

View Full Code Here

    }




    @Test
    public void testOperationWithComplexExtendedInformation() {
        KeyBasedPersistenceTokenService service = getService();
        Token token = service.allocateToken("Hello:world:::");
        Token result = service.verifyToken(token.getKey());
        Assert.assertEquals(token, result);
    }

View Full Code Here

        Assert.assertEquals(token, result);
    }


    @Test
    public void testOperationWithEmptyRandomNumber() {
        KeyBasedPersistenceTokenService service = getService();
        service.setPseudoRandomNumberBits(0);
        Token token = service.allocateToken("Hello:world:::");
        Token result = service.verifyToken(token.getKey());
        Assert.assertEquals(token, result);
    }

View Full Code Here

        Assert.assertEquals(token, result);
    }


    @Test
    public void testOperationWithNoExtendedInformation() {
        KeyBasedPersistenceTokenService service = getService();
        Token token = service.allocateToken("");
        Token result = service.verifyToken(token.getKey());
        Assert.assertEquals(token, result);
    }

View Full Code Here

        Assert.assertEquals(token, result);
    }


    @Test(expected=IllegalArgumentException.class)
    public void testOperationWithMissingKey() {
        KeyBasedPersistenceTokenService service = getService();
        Token token = new DefaultToken("", new Date().getTime(), "");
        service.verifyToken(token.getKey());
    }

View Full Code Here

        service.verifyToken(token.getKey());
    }


    @Test(expected=IllegalArgumentException.class)
    public void testOperationWithTamperedKey() {
        KeyBasedPersistenceTokenService service = getService();
        Token goodToken = service.allocateToken("");
        String fake = goodToken.getKey().toUpperCase();
        Token token = new DefaultToken(fake, new Date().getTime(), "");
        service.verifyToken(token.getKey());
    }

View Full Code Here

TOP

Related Classes of org.springframework.security.core.token.KeyBasedPersistenceTokenService

org.springframework.security.core.token.KeyBasedPersistenceTokenServiceTests

java.util.Date

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.