Exemple #1
0
    /**
     * Validate the token and return it.
     */
    private PersistentToken getPersistentToken(String[] cookieTokens) {
        if (cookieTokens.length != 2) {
            throw new InvalidCookieException("Cookie token did not contain " + 2 +
                    " tokens, but contained '" + Arrays.asList(cookieTokens) + "'");
        }

        final String presentedSeries = cookieTokens[0];
        final String presentedToken = cookieTokens[1];

        PersistentToken token = persistentTokenRepository.findOne(presentedSeries);

        if (token == null) {
            // No series match, so we can't authenticate using this cookie
            throw new RememberMeAuthenticationException("No persistent token found for series id: " + presentedSeries);
        }

        // We have a match for this user/series combination
        log.info("presentedToken={} / tokenValue={}", presentedToken, token.getTokenValue());
        if (!presentedToken.equals(token.getTokenValue())) {
            // Token doesn't match series value. Delete this session and throw an exception.
            persistentTokenRepository.delete(token);
            throw new CookieTheftException("Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.");
        }

        if (token.getTokenDate().plusDays(TOKEN_VALIDITY_DAYS).isBefore(LocalDate.now())) {
            persistentTokenRepository.delete(token);
            throw new RememberMeAuthenticationException("Remember-me login has expired");
        }
        return token;
    }
Exemple #2
0
 /**
  * When logout occurs, only invalidate the current token, and not all user sessions.
  * <p/>
  * The standard Spring Security implementations are too basic: they invalidate all tokens for the
  * current user, so when he logs out from one browser, all his other sessions are destroyed.
  */
 @Override
 @Transactional
 public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
     String rememberMeCookie = extractRememberMeCookie(request);
     if (rememberMeCookie != null && rememberMeCookie.length() != 0) {
         try {
             String[] cookieTokens = decodeCookie(rememberMeCookie);
             PersistentToken token = getPersistentToken(cookieTokens);
             persistentTokenRepository.delete(token);
         } catch (InvalidCookieException ice) {
             log.info("Invalid cookie, no persistent token could be deleted");
         } catch (RememberMeAuthenticationException rmae) {
             log.debug("No persistent token found, so no token could be deleted");
         }
     }
     super.logout(request, response, authentication);
 }