public class KeyBasedPersistenceTokenService extends java.lang.Object implements TokenService, org.springframework.beans.factory.InitializingBean
TokenService that is compatible with clusters and across machine restarts,
without requiring database persistence.
Keys are produced in the format:
Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )
In the above, creationTime, tokenKey and extendedInformation
are equal to that stored in Token. The Sha512Hex includes the same payload,
plus a serverSecret.
The serverSecret varies every millisecond. It relies on two static server-side secrets. The first
is a password, and the second is a server integer. Both of these must remain the same for any issued keys
to subsequently be recognised. The applicable serverSecret in any millisecond is computed by
password + ":" + (creationTime % serverInteger). This approach
further obfuscates the actual server secret and renders attempts to compute the server secret more
limited in usefulness (as any false tokens would be forced to have a creationTime equal
to the computed hash). Recall that framework features depending on token services should reject tokens
that are relatively old in any event.
A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers.
To this end, the use of SecureRandomFactoryBean is recommended to inject the property.
This implementation uses UTF-8 encoding internally for string manipulation.
| Constructor and Description |
|---|
KeyBasedPersistenceTokenService() |
| Modifier and Type | Method and Description |
|---|---|
void |
afterPropertiesSet() |
Token |
allocateToken(java.lang.String extendedInformation)
Forces the allocation of a new
Token. |
void |
setPseudoRandomNumberBits(int pseudoRandomNumberBits) |
void |
setSecureRandom(java.security.SecureRandom secureRandom) |
void |
setServerInteger(java.lang.Integer serverInteger) |
void |
setServerSecret(java.lang.String serverSecret) |
Token |
verifyToken(java.lang.String key)
Permits verification the <
Token.getKey() was issued by this TokenService and
reconstructs the corresponding Token. |
public Token allocateToken(java.lang.String extendedInformation)
TokenServiceToken.allocateToken in interface TokenServiceTokenService.verifyToken(String) at any future time.public Token verifyToken(java.lang.String key)
TokenServiceToken.getKey() was issued by this TokenService and
reconstructs the corresponding Token.verifyToken in interface TokenServicekey - as obtained from Token.getKey() and created by this implementationnull if the token was not issued by this TokenServicepublic void setServerSecret(java.lang.String serverSecret)
serverSecret - the new secret, which can contain a ":" if desired (never being sent to the client)public void setSecureRandom(java.security.SecureRandom secureRandom)
public void setPseudoRandomNumberBits(int pseudoRandomNumberBits)
pseudoRandomNumberBits - changes the number of bits issued (must be >= 0; defaults to 256)public void setServerInteger(java.lang.Integer serverInteger)
public void afterPropertiesSet()
throws java.lang.Exception
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBeanjava.lang.Exception