|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.apache.shiro.mgt.AbstractRememberMeManager
public abstract class AbstractRememberMeManager
Abstract implementation of the RememberMeManager
interface that handles
serialization
and
encryption
of the remembered user identity.
AesCipherService
for strong encryption by default. It also
uses a default generated symmetric key to both encrypt and decrypt data. As AES is a symmetric cipher, the same
key
is used to both encrypt and decrypt data, BUT NOTE:
Because Shiro is an open-source project, if anyone knew that you were using Shiro's default
key
, they could download/view the source, and with enough effort, reconstruct the key
and decode encrypted data at will.
Of course, this key is only really used to encrypt the remembered PrincipalCollection
which is typically
a user id or username. So if you do not consider that sensitive information, and you think the default key still
makes things 'sufficiently difficult', then you can ignore this issue.
However, if you do feel this constitutes sensitive information, it is recommended that you provide your own
key
via the setCipherKey
method to a key known only to your application,
guaranteeing that no third party can decrypt your data. You can generate your own key by calling the
CipherService
's generateNewKey
method
and using that result as the cipherKey
configuration attribute.
Constructor Summary | |
---|---|
AbstractRememberMeManager()
Default constructor that initializes a DefaultSerializer as the serializer and
an AesCipherService as the cipherService . |
Method Summary | |
---|---|
protected PrincipalCollection |
convertBytesToPrincipals(byte[] bytes,
SubjectContext subjectContext)
If a cipherService is available, it will be used to first decrypt the byte array. |
protected byte[] |
convertPrincipalsToBytes(PrincipalCollection principals)
Converts the given principal collection the byte array that will be persisted to be 'remembered' later. |
protected byte[] |
decrypt(byte[] encrypted)
Decrypts the byte array using the configured cipherService . |
protected PrincipalCollection |
deserialize(byte[] serializedIdentity)
De-serializes the given byte array by using the serializer 's
deserialize method. |
protected byte[] |
encrypt(byte[] serialized)
Encrypts the byte array by using the configured cipherService . |
protected abstract void |
forgetIdentity(Subject subject)
Forgets (removes) any remembered identity data for the specified Subject instance. |
byte[] |
getCipherKey()
Convenience method that returns the cipher key to use for both encryption and decryption. |
CipherService |
getCipherService()
Returns the CipherService to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data. |
byte[] |
getDecryptionCipherKey()
Returns the decryption cipher key to use for decryption operations. |
byte[] |
getEncryptionCipherKey()
Returns the cipher key to use for encryption operations. |
protected PrincipalCollection |
getIdentityToRemember(Subject subject,
AuthenticationInfo info)
Returns info .getPrincipals() and
ignores the Subject argument. |
PrincipalCollection |
getRememberedPrincipals(SubjectContext subjectContext)
Implements the interface method by first acquiring
the remembered serialized byte array. |
protected abstract byte[] |
getRememberedSerializedIdentity(SubjectContext subjectContext)
Based on the given subject context data, retrieves the previously persisted serialized identity, or null if there is no available data. |
Serializer<PrincipalCollection> |
getSerializer()
Returns the Serializer used to serialize and deserialize PrincipalCollection instances for
persistent remember me storage. |
protected boolean |
isRememberMe(AuthenticationToken token)
Determines whether or not remember me services should be performed for the specified token. |
void |
onFailedLogin(Subject subject,
AuthenticationToken token,
AuthenticationException ae)
Reacts to a failed login by immediately forgetting any
previously remembered identity. |
void |
onLogout(Subject subject)
Reacts to a subject logging out of the application and immediately forgets any previously stored identity and returns. |
protected PrincipalCollection |
onRememberedPrincipalFailure(RuntimeException e,
SubjectContext context)
Called when an exception is thrown while trying to retrieve principals. |
void |
onSuccessfulLogin(Subject subject,
AuthenticationToken token,
AuthenticationInfo info)
Reacts to the successful login attempt by first always forgetting any previously
stored identity. |
void |
rememberIdentity(Subject subject,
AuthenticationToken token,
AuthenticationInfo authcInfo)
Remembers a subject-unique identity for retrieval later. |
protected void |
rememberIdentity(Subject subject,
PrincipalCollection accountPrincipals)
Remembers the specified account principals by first converting them to a byte
array and then remembers that
byte array. |
protected abstract void |
rememberSerializedIdentity(Subject subject,
byte[] serialized)
Persists the identity bytes to a persistent store for retrieval later via the getRememberedSerializedIdentity(SubjectContext) method. |
protected byte[] |
serialize(PrincipalCollection principals)
Serializes the given principals by serializing them to a byte array by using the
serializer 's serialize method. |
void |
setCipherKey(byte[] cipherKey)
Convenience method that sets the cipher key to use for both encryption and decryption. |
void |
setCipherService(CipherService cipherService)
Sets the CipherService to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data. |
void |
setDecryptionCipherKey(byte[] decryptionCipherKey)
Sets the decryption key to use for decryption operations. |
void |
setEncryptionCipherKey(byte[] encryptionCipherKey)
Sets the encryption key to use for encryption operations. |
void |
setSerializer(Serializer<PrincipalCollection> serializer)
Sets the Serializer used to serialize and deserialize PrincipalCollection instances for
persistent remember me storage. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Methods inherited from interface org.apache.shiro.mgt.RememberMeManager |
---|
forgetIdentity |
Constructor Detail |
---|
public AbstractRememberMeManager()
DefaultSerializer
as the serializer
and
an AesCipherService
as the cipherService
.
Method Detail |
---|
public Serializer<PrincipalCollection> getSerializer()
Serializer
used to serialize and deserialize PrincipalCollection
instances for
persistent remember me storage.
Unless overridden by the setSerializer(org.apache.shiro.io.Serializer)
method, the default instance is a
DefaultSerializer
.
Serializer
used to serialize and deserialize PrincipalCollection
instances for
persistent remember me storage.public void setSerializer(Serializer<PrincipalCollection> serializer)
Serializer
used to serialize and deserialize PrincipalCollection
instances for
persistent remember me storage.
Unless overridden by this method, the default instance is a DefaultSerializer
.
serializer
- the Serializer
used to serialize and deserialize PrincipalCollection
instances
for persistent remember me storage.public CipherService getCipherService()
CipherService
to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.
Unless overridden by the setCipherService(org.apache.shiro.crypto.CipherService)
method, the default instance is an AesCipherService
.
Cipher
to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity datapublic void setCipherService(CipherService cipherService)
CipherService
to use for encrypting and decrypting serialized identity data to prevent easy
inspection of Subject identity data.
If the CipherService is a symmetric CipherService (using the same key for both encryption and decryption), you
should set your key via the setCipherKey(byte[])
method.
If the CipherService is an asymmetric CipherService (different keys for encryption and decryption, such as
public/private key pairs), you should set your encryption and decryption key via the respective
setEncryptionCipherKey(byte[])
and setDecryptionCipherKey(byte[])
methods.
N.B. Unless overridden by this method, the default CipherService instance is an
AesCipherService
. This RememberMeManager
implementation already has a configured symmetric key
to use for encryption and decryption, but it is recommended to provide your own for added security. See the
class-level JavaDoc for more information and why it might be good to provide your own.
cipherService
- the CipherService
to use for encrypting and decrypting serialized identity data to
prevent easy inspection of Subject identity data.public byte[] getEncryptionCipherKey()
for a description of the various {@code get/set*Key} methods.
public void setEncryptionCipherKey(byte[] encryptionCipherKey)
encryptionCipherKey
- the encryption key to use for encryption operations.for a description of the various {@code get/set*Key} methods.
public byte[] getDecryptionCipherKey()
for a description of the various {@code get/set*Key} methods.
public void setDecryptionCipherKey(byte[] decryptionCipherKey)
decryptionCipherKey
- the decryption key to use for decryption operations.for a description of the various {@code get/set*Key} methods.
public byte[] getCipherKey()
cipherService
is a symmetric
CipherService which by definition uses the same key for both encryption and decryption. If using an asymmetric
CipherService public/private key pair, you cannot use this method, and should instead use the
getEncryptionCipherKey()
and getDecryptionCipherKey()
methods individually.
The default AesCipherService
instance is a symmetric cipher service, so this method can be used if you are
using the default.
public void setCipherKey(byte[] cipherKey)
cipherService
is a
symmetric CipherService?which by definition uses the same key for both encryption and decryption. If using an
asymmetric CipherService?(such as a public/private key pair), you cannot use this method, and should instead use
the setEncryptionCipherKey(byte[])
and setDecryptionCipherKey(byte[])
methods individually.
The default AesCipherService
instance is a symmetric CipherService, so this method can be used if you
are using the default.
cipherKey
- the symmetric cipher key to use for both encryption and decryption.protected abstract void forgetIdentity(Subject subject)
Subject
instance.
subject
- the subject instance for which identity data should be forgotten from the underlying persistence
mechanism.protected boolean isRememberMe(AuthenticationToken token)
true
iff:
null
andinstanceof
RememberMeAuthenticationToken
andtoken
.isRememberMe()
is
true
token
- the authentication token submitted during the successful authentication attempt.
public void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info)
forgetting
any previously
stored identity. Then if the token
is a RememberMe
token, the associated identity
will be remembered
for later retrieval during a new user session.
onSuccessfulLogin
in interface RememberMeManager
subject
- the subject for which the principals are being remembered.token
- the token that resulted in a successful authentication attempt.info
- the authentication info resulting from the successful authentication attempt.public void rememberIdentity(Subject subject, AuthenticationToken token, AuthenticationInfo authcInfo)
resolves
the exact
principals
to remember. It then remembers the principals by calling
rememberIdentity(org.apache.shiro.subject.Subject, org.apache.shiro.subject.PrincipalCollection)
.
This implementation ignores the AuthenticationToken
argument, but it is available to subclasses if
necessary for custom logic.
subject
- the subject for which the principals are being remembered.token
- the token that resulted in a successful authentication attempt.authcInfo
- the authentication info resulting from the successful authentication attempt.protected PrincipalCollection getIdentityToRemember(Subject subject, AuthenticationInfo info)
info
.getPrincipals()
and
ignores the Subject
argument.
subject
- the subject for which the principals are being remembered.info
- the authentication info resulting from the successful authentication attempt.
PrincipalCollection
to remember.protected void rememberIdentity(Subject subject, PrincipalCollection accountPrincipals)
converting
them to a byte
array and then remembers
that
byte array.
subject
- the subject for which the principals are being remembered.accountPrincipals
- the principals to remember for retrieval later.protected byte[] convertPrincipalsToBytes(PrincipalCollection principals)
serializes
the
principals to a byte array and then encrypts
that byte array.
principals
- the PrincipalCollection
to convert to a byte array
protected abstract void rememberSerializedIdentity(Subject subject, byte[] serialized)
getRememberedSerializedIdentity(SubjectContext)
method.
subject
- the Subject for which the identity is being serialized.serialized
- the serialized bytes to be persisted.public PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext)
acquiring
the remembered serialized byte array. Then it converts
them and returns the re-constituted PrincipalCollection
. If no remembered principals could be
obtained, null
is returned.
If any exceptions are thrown, the onRememberedPrincipalFailure(RuntimeException, SubjectContext)
method
is called to allow any necessary post-processing (such as immediately removing any previously remembered
values for safety).
getRememberedPrincipals
in interface RememberMeManager
subjectContext
- the contextual data, usually provided by a Subject.Builder
implementation, that
is being used to construct a Subject
instance.
null
if none could be acquired.protected abstract byte[] getRememberedSerializedIdentity(SubjectContext subjectContext)
null
if there is no available data. The context map is usually populated by a Subject.Builder
implementation. See the SubjectFactory
class constants for Shiro's known map keys.
subjectContext
- the contextual data, usually provided by a Subject.Builder
implementation, that
is being used to construct a Subject
instance. To be used to assist with data
lookup.
null
if there is no available data for the
Subject.protected PrincipalCollection convertBytesToPrincipals(byte[] bytes, SubjectContext subjectContext)
cipherService
is available, it will be used to first decrypt the byte array.
Then the bytes are then deserialized
and then returned.
bytes
- the bytes to decrypt if necessary and then deserialize.subjectContext
- the contextual data, usually provided by a Subject.Builder
implementation, that
is being used to construct a Subject
instance.
protected PrincipalCollection onRememberedPrincipalFailure(RuntimeException e, SubjectContext context)
forgetIdentity(context)
and then immediately re-throws the
exception to allow the calling component to react accordingly.
This method implementation never returns an
object - it always rethrows, but can be overridden by subclasses for custom handling behavior.
This most commonly would be called when an encryption key is updated and old principals are retrieved that have
been encrypted with the previous key.
e
- the exception that was thrown.context
- the contextual data, usually provided by a Subject.Builder
implementation, that
is being used to construct a Subject
instance.
RuntimeException
is propagated in all cases.protected byte[] encrypt(byte[] serialized)
cipherService
.
serialized
- the serialized object byte array to be encrypted
() cipher
.protected byte[] decrypt(byte[] encrypted)
cipherService
.
encrypted
- the encrypted byte array to decrypt
() cipher
.protected byte[] serialize(PrincipalCollection principals)
principals
by serializing them to a byte array by using the
serializer
's serialize
method.
principals
- the principal collection to serialize to a byte array
protected PrincipalCollection deserialize(byte[] serializedIdentity)
serializer
's
deserialize
method.
serializedIdentity
- the previously serialized PrincipalCollection
as a byte array
PrincipalCollection
public void onFailedLogin(Subject subject, AuthenticationToken token, AuthenticationException ae)
forgetting
any
previously remembered identity. This is an additional security feature to prevent any remenant identity data
from being retained in case the authentication attempt is not being executed by the expected user.
onFailedLogin
in interface RememberMeManager
subject
- the subject which executed the failed login attempttoken
- the authentication token resulting in a failed login attempt - ignored by this implementationae
- the exception thrown as a result of the failed login attempt - ignored by this implementationpublic void onLogout(Subject subject)
forgets
any previously stored identity and returns.
onLogout
in interface RememberMeManager
subject
- the subject logging out.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |