//This cookie validation code section is taken straight from
//Spring's TokenBasedRememberMeServices, no need to reinvent the wheel.
if (cookieTokens.length != 3)
{
throw new InvalidCookieException("Cookie token did not contain "
+ 2 + " tokens, but contained '"
+ Arrays.asList(cookieTokens) + "'");
}
long tokenExpiryTime;
try
{
tokenExpiryTime = new Long(cookieTokens[1]).longValue();
}
catch (NumberFormatException nfe)
{
throw new InvalidCookieException(
"Cookie token[1] did not contain a valid number (contained '"
+ cookieTokens[1] + "')");
}
if (isTokenExpired(tokenExpiryTime))
{
throw new InvalidCookieException(
"Cookie token[1] has expired (expired on '"
+ new Date(tokenExpiryTime)
+ "'; current time is '" + new Date() + "')");
}
// TODO make the following validation steps a cookie validation strategy
// passing userDetails and cookieTokens
// so this class doesn't have to know about ExtendedUserDetails
// interface. Only needed if some other UserDetails service is created.
// if not expired load user details
ExtendedUserDetails userDetails = (ExtendedUserDetails)
(getUserDetailsService().loadUserByUsername(cookieTokens[0]));
//if no persistentLogin info returned from UserDetailsService, abort
//as cookie was misleading or manually invalidated.
PersistentLogin login = userDetails.getPersistentLogin();
if (login == null)
{
throw new InvalidCookieException(
"No PersistentLogin record in repository");
}
// Check signature of token matches remaining details.
// Must do this after user lookup,
String expectedTokenSignature = login.getTokenValue();
long expectedExpiryDate = login.getTokenExpirationDate();
if (tokenExpiryTime != expectedExpiryDate)
{
throw new InvalidCookieException(
"Cookie token[1] contained expirationDate '"
+ cookieTokens[2] + "' but expected '"
+ expectedExpiryDate + "'");
}
if (!expectedTokenSignature.equals(cookieTokens[2]))
{
throw new InvalidCookieException(
"Cookie token[2] contained signature '" + cookieTokens[2]
+ "' but expected '" + expectedTokenSignature + "'");
}
return userDetails;