|
|
|
|
@ -25,27 +25,19 @@ import javax.servlet.http.HttpServletResponse;
@@ -25,27 +25,19 @@ import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
* Implement by a class that is capable of providing a remember-me service. |
|
|
|
|
* |
|
|
|
|
* <p> |
|
|
|
|
* Spring Security filters (namely {@link |
|
|
|
|
* org.springframework.security.ui.AbstractProcessingFilter} and {@link |
|
|
|
|
* org.springframework.security.ui.rememberme.RememberMeProcessingFilter} will call |
|
|
|
|
* Spring Security filters (namely {@link org.springframework.security.ui.AbstractProcessingFilter} and |
|
|
|
|
* {@link org.springframework.security.ui.rememberme.RememberMeProcessingFilter} will call |
|
|
|
|
* the methods provided by an implementation of this interface. |
|
|
|
|
* </p> |
|
|
|
|
* |
|
|
|
|
* <p> |
|
|
|
|
* Implementations may implement any type of remember-me capability they wish. |
|
|
|
|
* Rolling cookies (as per <a href="http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice"> |
|
|
|
|
* http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice</a>)
|
|
|
|
|
* can be used, as can simple implementations that don't require a persistent |
|
|
|
|
* store. Implementations also determine the validity period of a remember-me |
|
|
|
|
* cookie. This interface has been designed to accommodate any of these |
|
|
|
|
* can be used, as can simple implementations that don't require a persistent store. Implementations also determine |
|
|
|
|
* the validity period of a remember-me cookie. This interface has been designed to accommodate any of these |
|
|
|
|
* remember-me models. |
|
|
|
|
* </p> |
|
|
|
|
* |
|
|
|
|
* <p> |
|
|
|
|
* This interface does not define how remember-me services should offer a |
|
|
|
|
* "cancel all remember-me tokens" type capability, as this will be |
|
|
|
|
* implementation specific and requires no hooks into Spring Security. |
|
|
|
|
* </p> |
|
|
|
|
* This interface does not define how remember-me services should offer a "cancel all remember-me tokens" type |
|
|
|
|
* capability, as this will be implementation specific and requires no hooks into Spring Security. |
|
|
|
|
* |
|
|
|
|
* @author Ben Alex |
|
|
|
|
* @version $Id$ |
|
|
|
|
@ -60,11 +52,13 @@ public interface RememberMeServices {
@@ -60,11 +52,13 @@ public interface RememberMeServices {
|
|
|
|
|
* whatsoever to determine whether the browser has requested remember-me services or presented a valid cookie. |
|
|
|
|
* Such determinations are left to the implementation. If a browser has presented an unauthorised cookie for |
|
|
|
|
* whatever reason, it should be silently ignored and invalidated using the <code>HttpServletResponse</code> |
|
|
|
|
* object.<p>The returned <code>Authentication</code> must be acceptable to {@link |
|
|
|
|
* org.springframework.security.AuthenticationManager} or |
|
|
|
|
* {@link org.springframework.security.providers.AuthenticationProvider} defined by the web application. It is recommended {@link |
|
|
|
|
* org.springframework.security.providers.rememberme.RememberMeAuthenticationToken} be used in most cases, as it has a |
|
|
|
|
* corresponding authentication provider.</p> |
|
|
|
|
* object. |
|
|
|
|
* <p> |
|
|
|
|
* The returned <code>Authentication</code> must be acceptable to |
|
|
|
|
* {@link org.springframework.security.AuthenticationManager} or |
|
|
|
|
* {@link org.springframework.security.providers.AuthenticationProvider} defined by the web application. |
|
|
|
|
* It is recommended {@link org.springframework.security.providers.rememberme.RememberMeAuthenticationToken} be |
|
|
|
|
* used in most cases, as it has a corresponding authentication provider. |
|
|
|
|
* |
|
|
|
|
* @param request to look for a remember-me token within |
|
|
|
|
* @param response to change, cancel or modify the remember-me token |
|
|
|
|
|
Luke Taylor
17 years ago