Package org.springframework.security.web.authentication.rememberme

Examples of org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException

162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
        PersistentToken token = persistentTokenRepository.findOne(presentedSeries);

        if (token == null) {
            // No series match, so we can't authenticate using this cookie
            throw new RememberMeAuthenticationException("No persistent token found for series id: " + presentedSeries);
        }

        // We have a match for this user/series combination
        log.info("presentedToken={} / tokenValue={}", presentedToken, token.getTokenValue());
        if (!presentedToken.equals(token.getTokenValue())) {
            // Token doesn't match series value. Delete this session and throw an exception.
            persistentTokenRepository.delete(token);
            throw new CookieTheftException("Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.");
        }

        if (token.getTokenDate().plusDays(TOKEN_VALIDITY_DAYS).isBefore(LocalDate.now())) {
            persistentTokenRepository.delete(token);
            throw new RememberMeAuthenticationException("Remember-me login has expired");
        }
        return token;
    }
View Full Code Here
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
          PersistentRememberMeToken token = tokenRepository.getTokenForSeries(presentedSeries);

          if (token == null) {
              // No series match, so we can't authenticate using this cookie
              throw new RememberMeAuthenticationException("No persistent token found for series id: " + presentedSeries);
          }


          //处理!!远程的cookie的token的value应该是不包含IP信息的,而数据库中保存的token的value是包含IP信息的。
          //在比较之前要进行计算。
          String tokenSignature = makeTokenSignature(presentedToken,request.getRemoteAddr());
          // We have a match for this user/series combination
          if(tokenSignature==null||!tokenSignature.equals(token.getTokenValue())){
//          if (!presentedToken.equals(token.getTokenValue())) {
              // Token doesn't match series value. Delete all logins for this user and throw an exception to warn them.
              tokenRepository.removeUserTokens(token.getUsername());

              throw new CookieTheftException(messages.getMessage("PersistentTokenBasedRememberMeServices.cookieStolen",
                      "Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack."));
          }

          if (token.getDate().getTime() + getTokenValiditySeconds()*1000L < System.currentTimeMillis()) {
              throw new RememberMeAuthenticationException("Remember-me login has expired");
          }

          // Token also matches, so login is valid. Update the token value, keeping the *same* series number.
          if (logger.isDebugEnabled()) {
              logger.debug("Refreshing persistent login token for user '" + token.getUsername() + "', series '" +
                      token.getSeries() + "'");
          }

          HttpSession session = request.getSession();
          if(session!=null){
            session.setAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_LAST_USERNAME_KEY,token.getUsername());
          }
         
          PersistentRememberMeToken newToken = new PersistentRememberMeToken(token.getUsername(),
                  token.getSeries(), generateTokenData(), new Date());

          try {
              tokenRepository.updateToken(newToken.getSeries(), makeTokenSignature(newToken.getTokenValue(),request.getRemoteAddr()), newToken.getDate());
              addCookie(newToken, request, response);
          } catch (DataAccessException e) {
              logger.error("Failed to update token: ", e);
              throw new RememberMeAuthenticationException("Autologin failed due to data access problem");
          }

          UserDetails user = getUserDetailsService().loadUserByUsername(token.getUsername());

          return user;
View Full Code Here
95
96
97
98
99
100
101
102
103
        try {
            persistentTokenRepository.saveAndFlush(token);
            addCookie(token, request, response);
        } catch (DataAccessException e) {
            log.error("Failed to update token: ", e);
            throw new RememberMeAuthenticationException("Autologin failed due to data access problem", e);
        }
        return getUserDetailsService().loadUserByUsername(login);
    }
View Full Code Here
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
        PersistentToken token = persistentTokenRepository.findOne(presentedSeries);

        if (token == null) {
            // No series match, so we can't authenticate using this cookie
            throw new RememberMeAuthenticationException("No persistent token found for series id: " + presentedSeries);
        }

        // We have a match for this user/series combination
        log.info("presentedToken={} / tokenValue={}", presentedToken, token.getTokenValue());
        if (!presentedToken.equals(token.getTokenValue())) {
            // Token doesn't match series value. Delete this session and throw an exception.
            persistentTokenRepository.delete(token);
            throw new CookieTheftException("Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.");
        }

        if (token.getTokenDate().plusDays(TOKEN_VALIDITY_DAYS).isBefore(LocalDate.now())) {
            persistentTokenRepository.delete(token);
            throw new RememberMeAuthenticationException("Remember-me login has expired");
        }
        return token;
    }
View Full Code Here
45
46
47
48
49
50
51
52
53
54
     * @param request it's needed to get an exception
     * @return the path of redirect url
     */
    @RequestMapping("/rememberMe")
    public String handleRememberMeException(HttpServletRequest request) {
        RememberMeAuthenticationException exception = (RememberMeAuthenticationException)
                request.getAttribute("javax.servlet.error.exception");
        LOGGER.error("RememberMe exception:", exception);
        return REDIRECT_TO_LOGIN;
    }
View Full Code Here
TOP

Related Classes of org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException

  • com.mycompany.myapp.security.CustomPersistentRememberMeServices
  • com.narirelays.ems.security.PersistentIPTokenBasedRememberMeServices
  • CustomPersistentRememberMeServices
  • org.jtalks.jcommune.web.controller.ExceptionHandlerController
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.