SEC-485: Added calculateLoginLifetime method.

2007-11-13 01:16:27 +00:00 · 2007-11-13 01:16:27 +00:00 · 81067840ef
parent b681952933
commit 81067840ef
1 changed files with 26 additions and 4 deletions
--- a/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java
+++ b/core/src/main/java/org/springframework/security/ui/rememberme/TokenBasedRememberMeServices.java
@ -158,12 +158,13 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
 			return;
 		}

-		long expiryTime = System.currentTimeMillis() + getTokenValiditySeconds() * 1000;
+		int tokenLifetime = calculateLoginLifetime(request, successfulAuthentication);
+        long expiryTime = System.currentTimeMillis() + 1000*tokenLifetime;

-		String signatureValue = makeTokenSignature(expiryTime, username, password);
+        String signatureValue = makeTokenSignature(expiryTime, username, password);
        String cookieValue = encodeCookie(new String[] {username, Long.toString(expiryTime), signatureValue});

-		response.addCookie(makeValidCookie(cookieValue, request, getTokenValiditySeconds()));
+        response.addCookie(makeValidCookie(cookieValue, request, tokenLifetime));

 		if (logger.isDebugEnabled()) {
 			logger.debug("Added remember-me cookie for user '" + username + "', expiry: '"
@ -171,7 +172,28 @@ public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
 		}
 	}

-	protected String retrieveUserName(Authentication authentication) {
+    /**
+     * Calculates the validity period in seconds for a newly generated remember-me login.
+     * After this period (from the current time) the remember-me login will be considered expired.
+     * This method allows customization based on request parameters supplied with the login or information in
+     * the <tt>Authentication</tt> object. The default value is just the token validity period property,
+     * <tt>tokenValiditySeconds</tt>.
+     * <p>
+     * The returned value will be used to work out the expiry time of the token and will also be
+     * used to set the <tt>maxAge</tt> property of the cookie.
+     * </p>
+     *
+     * See SEC-485.
+     *
+     * @param request the request passed to onLoginSuccess
+     * @param authentication the successful authentication object.
+     * @return the lifetime in seconds.
+     */
+    protected int calculateLoginLifetime(HttpServletRequest request, Authentication authentication) {
+        return getTokenValiditySeconds();
+    }
+
+    protected String retrieveUserName(Authentication authentication) {
 		if (isInstanceOfUserDetails(authentication)) {
 			return ((UserDetails) authentication.getPrincipal()).getUsername();
 		}