org.exoplatform.web.security.security

Class CookieTokenService

java.lang.Object

org.exoplatform.web.security.security.AbstractTokenService<GateInToken,String>

org.exoplatform.web.security.security.CookieTokenService

All Implemented Interfaces:

TokenStore, org.picocontainer.Startable

Direct Known Subclasses:

RemindPasswordTokenService

public class CookieTokenService
extends AbstractTokenService<GateInToken,String>

Created by The eXo Platform SAS Author : liem.nguyen ncliam@gmail.com Jun 5, 2009

On 2013-01-02 the followig was added by ppalaga@redhat.com:

• Passwords encrypted symmetrically before they are stored. The functionaliy was taken from https://github.com/exoplatform/exogtn/commit/5ef8b0fa2d639f4d834444468426dfb2c8485ae9 with minor modifications. See codec
• The tokens are not stored in plain text, but intead only their salted hash is stored. See saltedHashService. To enable this, the following was done:
  • The structure of the underlying JCR store was changed from

     autologin
     |- plain-token1 user="user1" password="***" expiration="..."
     |- plain-token2 user="user2" password="***" expiration="..."
     `- ...
     

    to

     autologin
     |- user1
     |  |- plain-token1 user="user1" password="***" expiration="..."
     |  |- plain-token2 user="user1" password="***" expiration="..."
     |  `- ...
     |- user2
     |  |- plain-token3 user="user2" password="***" expiration="..."
     |  |- plain-token4 user="user2" password="***" expiration="..."
     |  `- ...
     `- ...
     

  • The value of the token was changed from "rememberme" + randomString to userName + '.' + randomString

It should be considered in the future if the password field can be removed altogether from TokenEntry.

Field Summary

Fields

Modifier and Type	Field and Description
static String	HASH_SERVICE_INIT_PARAM
static String	LIFECYCLE_NAME .

Fields inherited from class org.exoplatform.web.security.security.AbstractTokenService

CLEANUP_PERIOD_TIME, DEFAULT_TOKEN_BYTE_LENGTH, delay_time, name, SERVICE_CONFIG, tokenByteLength, validityMillis

Constructor Summary

Constructors

Constructor and Description
CookieTokenService(org.exoplatform.container.xml.InitParams initParams, ChromatticManager chromatticManager, CodecInitializer codecInitializer)

Method Summary

Modifier and Type	Method and Description
void	cleanExpiredTokens()
String	createToken(org.gatein.wci.security.Credentials credentials) Create a token and returns it.
protected String	decodeKey(String stringKey) Decode a key from its string representation.
void	deleteAll() Removes all tokens stored in the TokenContainer.
GateInToken	deleteToken(String cookieTokenString)
void	deleteTokensOfUser(String user) The UI should offer a way to delete all existing tokens of the current user.
GateInToken	getToken(String cookieTokenString)
protected String	nextTokenId()
long	size()
void	start()

Methods inherited from class org.exoplatform.web.security.security.AbstractTokenService

getInstance, getName, getPeriodTime, getValidityTime, nextRandom, stop, validateToken

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LIFECYCLE_NAME

public static final String LIFECYCLE_NAME

.

See Also:

Constant Field Values

HASH_SERVICE_INIT_PARAM

public static final String HASH_SERVICE_INIT_PARAM

See Also:

Constant Field Values

Constructor Detail

CookieTokenService

public CookieTokenService(org.exoplatform.container.xml.InitParams initParams,
                          ChromatticManager chromatticManager,
                          CodecInitializer codecInitializer)
                   throws TokenServiceInitializationException

Throws:

TokenServiceInitializationException

Method Detail

start

public void start()

Specified by:

start in interface org.picocontainer.Startable

Overrides:

start in class AbstractTokenService<GateInToken,String>

createToken

public String createToken(org.gatein.wci.security.Credentials credentials)

Description copied from interface: TokenStore

Create a token and returns it. The store state is modified as it retains the token until it is removed either explicitely or because the token validity is expired.

Parameters:

credentials - the credentials

Returns:

the token key

nextTokenId

protected String nextTokenId()

Overrides:

nextTokenId in class AbstractTokenService<GateInToken,String>

getToken

public GateInToken getToken(String cookieTokenString)

Specified by:

getToken in class AbstractTokenService<GateInToken,String>

deleteToken

public GateInToken deleteToken(String cookieTokenString)

Specified by:

deleteToken in class AbstractTokenService<GateInToken,String>

deleteTokensOfUser

public void deleteTokensOfUser(String user)

The UI should offer a way to delete all existing tokens of the current user.

Parameters:

user -

deleteAll

public void deleteAll()

Removes all tokens stored in the TokenContainer.

cleanExpiredTokens

public void cleanExpiredTokens()

Specified by:

cleanExpiredTokens in class AbstractTokenService<GateInToken,String>

size

public long size()

Specified by:

size in class AbstractTokenService<GateInToken,String>

decodeKey

protected String decodeKey(String stringKey)

Description copied from class: AbstractTokenService

Decode a key from its string representation.

Specified by:

decodeKey in class AbstractTokenService<GateInToken,String>

Parameters:

stringKey - the key a s a string

Returns:

the typed key