Package org.springframework.security.config.annotation.web.configurers

Class RememberMeConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<RememberMeConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<DefaultSecurityFilterChain,H>

public final class RememberMeConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<RememberMeConfigurer<H>,H>

Configures Remember Me authentication. This typically involves the user checking a box when they enter their username and password that states to "Remember Me".

Security Filters

The following Filters are populated

• RememberMeAuthenticationFilter

Shared Objects Created

The following shared objects are populated

• HttpSecurity.authenticationProvider(org.springframework.security.authentication.AuthenticationProvider) is populated with a RememberMeAuthenticationProvider
• RememberMeServices is populated as a shared object and available on AbstractConfiguredSecurityBuilder.getSharedObject(Class)
• LogoutConfigurer.addLogoutHandler(LogoutHandler) is used to add a logout handler to clean up the remember me authentication.

Shared Objects Used

The following shared objects are used:

• AuthenticationManager
• UserDetailsService if no userDetailsService(UserDetailsService) was specified.
• DefaultLoginPageGeneratingFilter - if present will be populated with information from the configuration

Since:

3.2

Constructor Summary

Constructors

Constructor	Description
RememberMeConfigurer()	Creates a new instance

Method Summary

Modifier and Type	Method	Description
RememberMeConfigurer<H>	alwaysRemember(boolean alwaysRemember)	Whether the cookie should always be created even if the remember-me parameter is not set.
RememberMeConfigurer<H>	authenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler)	Allows control over the destination a remembered user is sent to when they are successfully authenticated.
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
void	init(H http)	Initialize the SecurityBuilder.
RememberMeConfigurer<H>	key(String key)	Sets the key to identify tokens created for remember me authentication.
RememberMeConfigurer<H>	rememberMeCookieDomain(String rememberMeCookieDomain)	The domain name within which the remember me cookie is visible.
RememberMeConfigurer<H>	rememberMeCookieName(String rememberMeCookieName)	The name of cookie which store the token for remember me authentication.
RememberMeConfigurer<H>	rememberMeParameter(String rememberMeParameter)	The HTTP parameter used to indicate to remember the user at time of login.
RememberMeConfigurer<H>	rememberMeServices(RememberMeServices rememberMeServices)	Specify the RememberMeServices to use.
RememberMeConfigurer<H>	tokenRepository(PersistentTokenRepository tokenRepository)	Specifies the PersistentTokenRepository to use.
RememberMeConfigurer<H>	tokenValiditySeconds(int tokenValiditySeconds)	Allows specifying how long (in seconds) a token is valid for
RememberMeConfigurer<H>	userDetailsService(UserDetailsService userDetailsService)	Specifies the UserDetailsService used to look up the UserDetails when a remember me token is valid.
RememberMeConfigurer<H>	useSecureCookie(boolean useSecureCookie)	Whether the cookie should be flagged as secure or not.

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, addObjectPostProcessor, and, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

RememberMeConfigurer

public RememberMeConfigurer()

Creates a new instance

Method Details

tokenValiditySeconds

public RememberMeConfigurer<H> tokenValiditySeconds(int tokenValiditySeconds)

Allows specifying how long (in seconds) a token is valid for

Parameters:

tokenValiditySeconds -

Returns:

RememberMeConfigurer for further customization

See Also:

• AbstractRememberMeServices.setTokenValiditySeconds(int)

useSecureCookie

public RememberMeConfigurer<H> useSecureCookie(boolean useSecureCookie)

Whether the cookie should be flagged as secure or not. Secure cookies can only be sent over an HTTPS connection and thus cannot be accidentally submitted over HTTP where they could be intercepted.

By default the cookie will be secure if the request is secure. If you only want to use remember-me over HTTPS (recommended) you should set this property to true.

Parameters:

useSecureCookie - set to true to always user secure cookies, false to disable their use.

Returns:

the RememberMeConfigurer for further customization

See Also:

• AbstractRememberMeServices.setUseSecureCookie(boolean)

userDetailsService

public RememberMeConfigurer<H> userDetailsService(UserDetailsService userDetailsService)

Specifies the UserDetailsService used to look up the UserDetails when a remember me token is valid. When using a SecurityFilterChain bean, the default is to look for a UserDetailsService bean. Alternatively, one can populate rememberMeServices(RememberMeServices).

Parameters:

userDetailsService - the UserDetailsService to configure

Returns:

the RememberMeConfigurer for further customization

See Also:

• AbstractRememberMeServices

tokenRepository

public RememberMeConfigurer<H> tokenRepository(PersistentTokenRepository tokenRepository)

Specifies the PersistentTokenRepository to use. The default is to use TokenBasedRememberMeServices instead.

Parameters:

tokenRepository - the PersistentTokenRepository to use

Returns:

the RememberMeConfigurer for further customization

key

public RememberMeConfigurer<H> key(String key)

Sets the key to identify tokens created for remember me authentication. Default is a secure randomly generated key. If rememberMeServices(RememberMeServices) is specified and is of type AbstractRememberMeServices, then the default is the key set in AbstractRememberMeServices.

Parameters:

key - the key to identify tokens created for remember me authentication

Returns:

the RememberMeConfigurer for further customization

rememberMeParameter

public RememberMeConfigurer<H> rememberMeParameter(String rememberMeParameter)

The HTTP parameter used to indicate to remember the user at time of login.

Parameters:

rememberMeParameter - the HTTP parameter used to indicate to remember the user

Returns:

the RememberMeConfigurer for further customization

rememberMeCookieName

public RememberMeConfigurer<H> rememberMeCookieName(String rememberMeCookieName)

The name of cookie which store the token for remember me authentication. Defaults to 'remember-me'.

Parameters:

rememberMeCookieName - the name of cookie which store the token for remember me authentication

Returns:

the RememberMeConfigurer for further customization

Since:

4.0.1

rememberMeCookieDomain

public RememberMeConfigurer<H> rememberMeCookieDomain(String rememberMeCookieDomain)

The domain name within which the remember me cookie is visible.

Parameters:

rememberMeCookieDomain - the domain name within which the remember me cookie is visible.

Returns:

the RememberMeConfigurer for further customization

Since:

4.1.0

authenticationSuccessHandler

public RememberMeConfigurer<H> authenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler)

Allows control over the destination a remembered user is sent to when they are successfully authenticated. By default, the filter will just allow the current request to proceed, but if an AuthenticationSuccessHandler is set, it will be invoked and the doFilter() method will return immediately, thus allowing the application to redirect the user to a specific URL, regardless of what the original request was for.

Parameters:

authenticationSuccessHandler - the strategy to invoke immediately before returning from doFilter().

Returns:

RememberMeConfigurer for further customization

See Also:

• RememberMeAuthenticationFilter.setAuthenticationSuccessHandler(AuthenticationSuccessHandler)

rememberMeServices

public RememberMeConfigurer<H> rememberMeServices(RememberMeServices rememberMeServices)

Specify the RememberMeServices to use.

Parameters:

rememberMeServices - the RememberMeServices to use

Returns:

the RememberMeConfigurer for further customizations

See Also:

• RememberMeServices

alwaysRemember

public RememberMeConfigurer<H> alwaysRemember(boolean alwaysRemember)

Whether the cookie should always be created even if the remember-me parameter is not set.

By default this will be set to false.

Parameters:

alwaysRemember - set to true to always trigger remember me, false to use the remember-me parameter.

Returns:

the RememberMeConfigurer for further customization

See Also:

• AbstractRememberMeServices.setAlwaysRemember(boolean)

init

public void init(H http)
          throws Exception

Description copied from interface: SecurityConfigurer

Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here.

Specified by:

init in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

init in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Throws:

Exception

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>