Package org.flowable.ui.common.security

Class CustomPersistentRememberMeServices

  • All Implemented Interfaces:
    org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, org.springframework.security.web.authentication.logout.LogoutHandler, org.springframework.security.web.authentication.RememberMeServices
    public class CustomPersistentRememberMeServices
extends org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    Custom implementation of Spring Security's RememberMeServices.

    Persistent tokens are used by Spring Security to automatically log in users.

    This is a specific implementation of Spring Security's remember-me authentication, but it is much more powerful than the standard implementations:

    • It allows a user to see the list of his currently opened sessions, and invalidate them
    • It stores more information, such as the IP address and the user agent, for audit purposes
    • When a user logs out, only his current session is invalidated, and not all of his sessions

    This is inspired by:

    The main algorithm comes from Spring Security's PersistentTokenBasedRememberMeServices, but this class couldn't be cleanly extended.

    • Field Summary

      • Fields inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

        DEFAULT_PARAMETER, logger, messages, SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, TWO_WEEKS_S

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      Token createAndInsertPersistentToken​(String userId, String remoteAddress, String userAgent)  
      void logout​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication)
      When logout occurs, only invalidate the current token, and not all user sessions.
      protected void onLoginSuccess​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication successfulAuthentication)  
      protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie​(String[] cookieTokens, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)  
      protected void setCookie​(String[] tokens, int maxAge, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)  

      • Methods inherited from class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

        afterPropertiesSet, autoLogin, cancelCookie, createSuccessfulAuthentication, decodeCookie, encodeCookie, extractRememberMeCookie, getAuthenticationDetailsSource, getCookieName, getKey, getParameter, getTokenValiditySeconds, getUserDetailsService, loginFail, loginSuccess, onLoginFail, rememberMeRequested, setAlwaysRemember, setAuthenticationDetailsSource, setAuthoritiesMapper, setCookieDomain, setCookieName, setMessageSource, setParameter, setTokenValiditySeconds, setUserDetailsChecker, setUseSecureCookie

    • Constructor Detail

      • CustomPersistentRememberMeServices

        public CustomPersistentRememberMeServices​(FlowableCommonAppProperties properties,
                                          org.springframework.security.core.userdetails.UserDetailsService userDetailsService,
                                          PersistentTokenService persistentTokenService)

    • Method Detail

      • onLoginSuccess

        protected void onLoginSuccess​(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response,
                              org.springframework.security.core.Authentication successfulAuthentication)
        Specified by:
        onLoginSuccess in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

      • processAutoLoginCookie

        protected org.springframework.security.core.userdetails.UserDetails processAutoLoginCookie​(String[] cookieTokens,
                                                                                           javax.servlet.http.HttpServletRequest request,
                                                                                           javax.servlet.http.HttpServletResponse response)
        Specified by:
        processAutoLoginCookie in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

      • logout

        public void logout​(javax.servlet.http.HttpServletRequest request,
                   javax.servlet.http.HttpServletResponse response,
                   org.springframework.security.core.Authentication authentication)
        When logout occurs, only invalidate the current token, and not all user sessions.

        The standard Spring Security implementations are too basic: they invalidate all tokens for the current user, so when he logs out from one browser, all his other sessions are destroyed.

        Specified by:
        logout in interface org.springframework.security.web.authentication.logout.LogoutHandler
        Overrides:
        logout in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

      • setCookie

        protected void setCookie​(String[] tokens,
                         int maxAge,
                         javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
        Overrides:
        setCookie in class org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices

      • createAndInsertPersistentToken

        public Token createAndInsertPersistentToken​(String userId,
                                            String remoteAddress,
                                            String userAgent)