public class TimeKeyBasedPersistenceTokenService extends Object implements TokenService, org.springframework.beans.factory.InitializingBean
TokenService that is compatible with clusters and
across machine restarts, without requiring database persistence.
Keys are produced in the format:
Base64(creationTime + ":" + expireTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + expireTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )
In the above, creationTime, tokenKey and
extendedInformation are equal to that stored in Token. The
Sha512Hex includes the same payload, plus a serverSecret.
The serverSecret varies every millisecond. It relies on two static
server-side secrets. The first is a password, and the second is a server integer. Both
of these must remain the same for any issued keys to subsequently be recognised. The
applicable serverSecret in any millisecond is computed by
password + ":" + (creationTime % serverInteger).
This approach further obfuscates the actual server secret and renders attempts to
compute the server secret more limited in usefulness (as any false tokens would be
forced to have a creationTime equal to the computed hash). Recall that
framework features depending on token services should reject tokens that are relatively
old in any event.
A further consideration of this class is the requirement for cryptographically strong
pseudo-random numbers. To this end, the use of SecureRandomFactoryBean is
recommended to inject the property.
This implementation uses UTF-8 encoding internally for string manipulation.
| 构造器和说明 |
|---|
TimeKeyBasedPersistenceTokenService() |
| 限定符和类型 | 方法和说明 |
|---|---|
void |
afterPropertiesSet() |
org.springframework.security.core.token.Token |
allocateToken(LoginUser loginUser,
Long timeToLive)
仅使用loginUser的id和userType
|
void |
setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) |
void |
setSecureRandom(SecureRandom secureRandom) |
void |
setServerInteger(Integer serverInteger) |
void |
setServerSecret(String serverSecret) |
org.springframework.security.core.token.Token |
verifyToken(String key)
Permits verification the
Token.getKey() was issued by this
TokenService and reconstructs the corresponding Token. |
public org.springframework.security.core.token.Token allocateToken(LoginUser loginUser, Long timeToLive)
allocateToken 在接口中 TokenServiceloginUser - the extended information desired in the token (cannot be
null, but can be empty)timeToLive - time to live in secondspublic org.springframework.security.core.token.Token verifyToken(String key)
TokenServiceToken.getKey() was issued by this
TokenService and reconstructs the corresponding Token.verifyToken 在接口中 TokenServicekey - as obtained from Token.getKey() and created by this
implementationnull if the token was not issued by this
TokenServicepublic void setServerSecret(String serverSecret)
serverSecret - the new secret, which can contain a ":" if desired (never being
sent to the client)public void setSecureRandom(SecureRandom secureRandom)
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes)
pseudoRandomNumberBytes - changes the number of bytes issued (must be >= 0;
defaults to 256)public void setServerInteger(Integer serverInteger)
public void afterPropertiesSet()
afterPropertiesSet 在接口中 org.springframework.beans.factory.InitializingBeanCopyright © 2020. All rights reserved.