Package org.springframework.security.web.authentication.rememberme

Examples of org.springframework.security.web.authentication.rememberme.PersistentRememberMeToken


    }

    @Test(expected = RememberMeAuthenticationException.class)
    public void loginIsRejectedWhenTokenIsExpired() {
        MockTokenRepository repo =
                new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
        services.setTokenRepository(repo);
        services.setTokenValiditySeconds(1);
        try {
            Thread.sleep(1100);
        } catch (InterruptedException e) {
View Full Code Here


                new MockHttpServletResponse());
    }

    @Test(expected = CookieTheftException.class)
    public void cookieTheftIsDetectedWhenSeriesAndTokenDontMatch() {
        PersistentRememberMeToken token = new PersistentRememberMeToken("joe", "series","wrongtoken", new Date());
        services.setTokenRepository(new MockTokenRepository(token));
        services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(),
                new MockHttpServletResponse());
    }
View Full Code Here

    }

    @Test
    public void successfulAutoLoginCreatesNewTokenAndCookieWithSameSeries() {
        MockTokenRepository repo =
                new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
        services.setTokenRepository(repo);
        // 12 => b64 length will be 16
        services.setTokenLength(12);
        MockHttpServletResponse response = new MockHttpServletResponse();
        services.processAutoLoginCookie(new String[] {"series", "token"}, new MockHttpServletRequest(), response);
View Full Code Here

        Cookie cookie = new Cookie("mycookiename", "somevalue");
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.setCookies(cookie);
        MockHttpServletResponse response = new MockHttpServletResponse();
        MockTokenRepository repo =
            new MockTokenRepository(new PersistentRememberMeToken("joe", "series","token", new Date()));
        services.setTokenRepository(repo);
        services.logout(request, response, new TestingAuthenticationToken("joe","somepass","SOME_AUTH"));
        Cookie returnedCookie = response.getCookie("mycookiename");
        assertNotNull(returnedCookie);
        assertEquals(0, returnedCookie.getMaxAge());
View Full Code Here

        public void createNewToken(PersistentRememberMeToken token) {
            storedToken = token;
        }

        public void updateToken(String series, String tokenValue, Date lastUsed) {
            storedToken = new PersistentRememberMeToken(storedToken.getUsername(), storedToken.getSeries(),
                    tokenValue, lastUsed);
        }
View Full Code Here

          }

          final String presentedSeries = cookieTokens[0];
          final String presentedToken = cookieTokens[1];

          PersistentRememberMeToken token = tokenRepository.getTokenForSeries(presentedSeries);

          if (token == null) {
              // No series match, so we can't authenticate using this cookie
              throw new RememberMeAuthenticationException("No persistent token found for series id: " + presentedSeries);
          }


          //处理!!远程的cookie的token的value应该是不包含IP信息的,而数据库中保存的token的value是包含IP信息的。
          //在比较之前要进行计算。
          String tokenSignature = makeTokenSignature(presentedToken,request.getRemoteAddr());
          // We have a match for this user/series combination
          if(tokenSignature==null||!tokenSignature.equals(token.getTokenValue())){
//          if (!presentedToken.equals(token.getTokenValue())) {
              // Token doesn't match series value. Delete all logins for this user and throw an exception to warn them.
              tokenRepository.removeUserTokens(token.getUsername());

              throw new CookieTheftException(messages.getMessage("PersistentTokenBasedRememberMeServices.cookieStolen",
                      "Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack."));
          }

          if (token.getDate().getTime() + getTokenValiditySeconds()*1000L < System.currentTimeMillis()) {
              throw new RememberMeAuthenticationException("Remember-me login has expired");
          }

          // Token also matches, so login is valid. Update the token value, keeping the *same* series number.
          if (logger.isDebugEnabled()) {
              logger.debug("Refreshing persistent login token for user '" + token.getUsername() + "', series '" +
                      token.getSeries() + "'");
          }

          HttpSession session = request.getSession();
          if(session!=null){
            session.setAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_LAST_USERNAME_KEY,token.getUsername());
          }
         
          PersistentRememberMeToken newToken = new PersistentRememberMeToken(token.getUsername(),
                  token.getSeries(), generateTokenData(), new Date());

          try {
              tokenRepository.updateToken(newToken.getSeries(), makeTokenSignature(newToken.getTokenValue(),request.getRemoteAddr()), newToken.getDate());
              addCookie(newToken, request, response);
          } catch (DataAccessException e) {
              logger.error("Failed to update token: ", e);
              throw new RememberMeAuthenticationException("Autologin failed due to data access problem");
          }
View Full Code Here

      protected void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) {
          String username = successfulAuthentication.getName();

          logger.debug("Creating new persistent login for user " + username);

          PersistentRememberMeToken persistentToken = new PersistentRememberMeToken(username, generateSeriesData(),
                  generateTokenData(), new Date());
          PersistentRememberMeToken ipToken = new PersistentRememberMeToken(username, persistentToken.getSeries(),
              makeTokenSignature(persistentToken.getTokenValue(),request.getRemoteAddr()), persistentToken.getDate());
          try {
              tokenRepository.createNewToken(ipToken);
              addCookie(persistentToken, request, response);
          } catch (DataAccessException e) {
View Full Code Here

    private final Map<String, PersistentRememberMeToken> seriesTokens = new HashMap<String, PersistentRememberMeToken>();

    @Override
    public void createNewToken(PersistentRememberMeToken token) {
        PersistentRememberMeToken current = seriesTokens.get(token.getSeries());

        if (current != null) {
            throw new DataIntegrityViolationException("Series Id '"
                    + token.getSeries() + "' already exists!");
        }
View Full Code Here

        seriesTokens.put(token.getSeries(), token);
    }

    @Override
    public void updateToken(String series, String tokenValue, Date lastUsed) {
        PersistentRememberMeToken token = getTokenForSeries(series);

        PersistentRememberMeToken newToken = new PersistentRememberMeToken(
                token.getUsername(), series, tokenValue, new Date());

        seriesTokens.put(series, newToken);

    }
View Full Code Here

        Iterator<String> series = seriesTokens.keySet().iterator();

        while (series.hasNext()) {
            String seriesId = series.next();

            PersistentRememberMeToken token = seriesTokens.get(seriesId);

            if (username.equals(token.getUsername())) {
                series.remove();
            }
        }
    }
View Full Code Here

TOP

Related Classes of org.springframework.security.web.authentication.rememberme.PersistentRememberMeToken

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.