| Identifies previously remembered users by a Base-64 encoded cookie.
This implementation does not rely on an external database, so is attractive
for simple applications. The cookie will be valid for a specific period from
the date of the last
TokenBasedRememberMeServices.loginSuccess(HttpServletRequest,HttpServletResponse,Authentication) .
As per the interface contract, this method will only be called when the
principal completes a successful interactive authentication. As such the time
period commences from the last authentication attempt where they furnished
credentials - not the time period they last logged in via remember-me. The
implementation will only send a remember-me token if the parameter defined by
TokenBasedRememberMeServices.setParameter(String) is present.
An
org.acegisecurity.userdetails.UserDetailsService is required by
this implementation, so that it can construct a valid
Authentication from the returned
org.acegisecurity.userdetails.UserDetails . This is also necessary so that
the user's password is available and can be checked as part of the encoded
cookie.
The cookie encoded by this implementation adopts the following form:
username + ":" + expiryTime + ":" + Md5Hex(username + ":" + expiryTime + ":" + password + ":" + key)
As such, if the user changes their password any remember-me token will be
invalidated. Equally, the system administrator may invalidate every
remember-me token on issue by changing the key. This provides some reasonable
approaches to recovering from a remember-me token being left on a public
machine (eg kiosk system, Internet cafe etc). Most importantly, at no time is
the user's password ever sent to the user agent, providing an important
security safeguard. Unfortunately the username is necessary in this
implementation (as we do not want to rely on a database for remember-me
services) and as such high security applications should be aware of this
occasionally undesired disclosure of a valid username.
This is a basic remember-me implementation which is suitable for many
applications. However, we recommend a database-based implementation if you
require a more secure remember-me approach.
By default the tokens will be valid for 14 days from the last successful
authentication attempt. This can be changed using
TokenBasedRememberMeServices.setTokenValiditySeconds(long) .
author:
Ben Alex
version:
$Id: TokenBasedRememberMeServices.java 1871 2007-05-25 03:12:49Z
version:
benalex $ | 