Examples of org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices

• org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
  Identifies previously remembered users by a Base-64 encoded cookie.

  This implementation does not rely on an external database, so is attractive for simple applications. The cookie will be valid for a specific period from the date of the last {@link #loginSuccess(HttpServletRequest,HttpServletResponse,Authentication)}. As per the interface contract, this method will only be called when the principal completes a successful interactive authentication. As such the time period commences from the last authentication attempt where they furnished credentials - not the time period they last logged in via remember-me. The implementation will only send a remember-me token if the parameter defined by {@link #setParameter(String)} is present.

  An {@link org.springframework.security.core.userdetails.UserDetailsService} is required bythis implementation, so that it can construct a valid Authentication from the returned {@link org.springframework.security.core.userdetails.UserDetails}. This is also necessary so that the user's password is available and can be checked as part of the encoded cookie.

  The cookie encoded by this implementation adopts the following form:

   username + ":" + expiryTime + ":" + Md5Hex(username + ":" + expiryTime + ":" + password + ":" + key) 

  As such, if the user changes their password, any remember-me token will be invalidated. Equally, the system administrator may invalidate every remember-me token on issue by changing the key. This provides some reasonable approaches to recovering from a remember-me token being left on a public machine (e.g. kiosk system, Internet cafe etc). Most importantly, at no time is the user's password ever sent to the user agent, providing an important security safeguard. Unfortunately the username is necessary in this implementation (as we do not want to rely on a database for remember-me services). High security applications should be aware of this occasionally undesired disclosure of a valid username.

  This is a basic remember-me implementation which is suitable for many applications. However, we recommend a database-based implementation if you require a more secure remember-me approach (see {@link PersistentTokenBasedRememberMeServices}).

  By default the tokens will be valid for 14 days from the last successful authentication attempt. This can be changed using {@link #setTokenValiditySeconds(int)}. If this value is less than zero, the expiryTime will remain at 14 days, but the negative value will be used for the maxAge property of the cookie, meaning that it will not be stored when the browser is closed. @author Ben Alex

    @Marker( SpringSecurityServices.class )
    public static RememberMeServices build(
            final UserDetailsService userDetailsService,
            @Inject @Value( "${spring-security.rememberme.key}" ) final String rememberMeKey ) {

        final TokenBasedRememberMeServices rememberMe = new TokenBasedRememberMeServices(rememberMeKey,userDetailsService);
        return rememberMe;
    }

    @Marker( SpringSecurityServices.class )
    public static LogoutHandler buildRememberMeLogoutHandler(
            final UserDetailsService userDetailsService,
            @Inject @Value( "${spring-security.rememberme.key}" ) final String rememberMeKey ) throws Exception {

        final TokenBasedRememberMeServices rememberMe = new TokenBasedRememberMeServices(rememberMeKey,userDetailsService);
        rememberMe.afterPropertiesSet();
        return rememberMe;
    }

    @Marker( SpringSecurityServices.class )
    public static RememberMeServices build(
            final UserDetailsService userDetailsService,
            @Inject @Value( "${spring-security.rememberme.key}" ) final String rememberMeKey ) {

        final TokenBasedRememberMeServices rememberMe = new TokenBasedRememberMeServices(rememberMeKey,userDetailsService);
        return rememberMe;
    }

    @Marker( SpringSecurityServices.class )
    public static LogoutHandler buildRememberMeLogoutHandler(
            final UserDetailsService userDetailsService,
            @Inject @Value( "${spring-security.rememberme.key}" ) final String rememberMeKey ) throws Exception {

        final TokenBasedRememberMeServices rememberMe = new TokenBasedRememberMeServices(rememberMeKey,userDetailsService);
        rememberMe.afterPropertiesSet();
        return rememberMe;
    }

     * @return the {@link TokenBasedRememberMeServices}
     */
    private AbstractRememberMeServices createTokenBasedRememberMeServices(
            H http, String key) {
        UserDetailsService userDetailsService = getUserDetailsService(http);
        return new TokenBasedRememberMeServices(key, userDetailsService);
    }

        filter.setAuthenticationManager(mock(AuthenticationManager.class));
        filter.setFilterProcessesUrl("/p");
        filter.afterPropertiesSet();

        assertNotNull(filter.getRememberMeServices());
        filter.setRememberMeServices(new TokenBasedRememberMeServices());
        assertEquals(TokenBasedRememberMeServices.class, filter.getRememberMeServices().getClass());
        assertTrue(filter.getAuthenticationManager() != null);
        assertEquals("/p", filter.getFilterProcessesUrl());
    }

    //~ Methods ========================================================================================================

    @Before
    public void createTokenBasedRememberMeServices() {
        services = new TokenBasedRememberMeServices();
        uds = mock(UserDetailsService.class);
        services.setKey("key");
        services.setUserDetailsService(uds);
    }

        assertEquals(0, cookie.getMaxAge());
    }

    @Test
    public void loginSuccessIgnoredIfParameterNotSetOrFalse() {
        TokenBasedRememberMeServices services = new TokenBasedRememberMeServices();
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.addParameter(DEFAULT_PARAMETER, "false");

        MockHttpServletResponse response = new MockHttpServletResponse();
        services.loginSuccess(request, response, new TestingAuthenticationToken("someone", "password","ROLE_ABC"));

        Cookie cookie = response.getCookie(SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
        assertNull(cookie);
    }

    return new UserService();
  }

  @Bean
  public TokenBasedRememberMeServices rememberMeServices() {
    return new TokenBasedRememberMeServices("remember-me-key", userService());
  }

    successHandler.setUseReferer(true);

    SimpleUrlAuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
    failureHandler.setDefaultFailureUrl(confMap.get("security.signin_failure"));

    TokenBasedRememberMeServices tbrms = new TokenBasedRememberMeServices(Config.APP_SECRET_KEY, new SimpleUserService());
    tbrms.setAlwaysRemember(true);
    tbrms.setTokenValiditySeconds(Config.SESSION_TIMEOUT_SEC.intValue());
    tbrms.setCookieName(Config.AUTH_COOKIE);
    tbrms.setParameter(Config.AUTH_COOKIE.concat("-remember-me"));
    http.rememberMe().rememberMeServices(tbrms);

    PasswordAuthFilter passwordFilter = new PasswordAuthFilter("/" + PasswordAuthFilter.PASSWORD_ACTION);
    passwordFilter.setAuthenticationManager(authenticationManager());
    passwordFilter.setAuthenticationSuccessHandler(successHandler);