KeyBasedPersistenceTokenService (Spring Security 3.2.9.RELEASE API)

java.lang.Object
- org.springframework.security.core.token.KeyBasedPersistenceTokenService

All Implemented Interfaces:

InitializingBean, TokenService
```
public class KeyBasedPersistenceTokenService
extends Object
implements TokenService, InitializingBean
```
Basic implementation of TokenService that is compatible with clusters and across machine restarts, without requiring database persistence.
Keys are produced in the format:

Base64(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + Sha512Hex(creationTime + ":" + hex(pseudoRandomNumber) + ":" + extendedInformation + ":" + serverSecret) )

In the above, creationTime, tokenKey and extendedInformation are equal to that stored in Token. The Sha512Hex includes the same payload, plus a serverSecret.

The serverSecret varies every millisecond. It relies on two static server-side secrets. The first is a password, and the second is a server integer. Both of these must remain the same for any issued keys to subsequently be recognised. The applicable serverSecret in any millisecond is computed by password + ":" + (creationTime % serverInteger). This approach further obfuscates the actual server secret and renders attempts to compute the server secret more limited in usefulness (as any false tokens would be forced to have a creationTime equal to the computed hash). Recall that framework features depending on token services should reject tokens that are relatively old in any event.

A further consideration of this class is the requirement for cryptographically strong pseudo-random numbers. To this end, the use of SecureRandomFactoryBean is recommended to inject the property.

This implementation uses UTF-8 encoding internally for string manipulation.

Author:

Ben Alex

Constructor Summary

Constructors
Constructor and Description

KeyBasedPersistenceTokenService()

Constructors
Constructor and Description
`KeyBasedPersistenceTokenService()`

Method Summary

Methods
Modifier and Type	Method and Description
`void`	`afterPropertiesSet()`
`Token`	`allocateToken(String extendedInformation)` Forces the allocation of a new `Token`.
`void`	`setPseudoRandomNumberBits(int pseudoRandomNumberBytes)` Deprecated. use `setPseudoRandomNumberBytes(int)`
`void`	`setPseudoRandomNumberBytes(int pseudoRandomNumberBytes)`
`void`	`setSecureRandom(SecureRandom secureRandom)`
`void`	`setServerInteger(Integer serverInteger)`
`void`	`setServerSecret(String serverSecret)`
`Token`	`verifyToken(String key)` Permits verification the <`Token.getKey()` was issued by this `TokenService` and reconstructs the corresponding `Token`.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - KeyBasedPersistenceTokenService
```
public KeyBasedPersistenceTokenService()
```
- Method Detail
  - allocateToken
```
public Token allocateToken(String extendedInformation)
```
    Description copied from interface: TokenService
    
    Forces the allocation of a new Token.
    
    Specified by:
    
    allocateToken in interface TokenService
    
    Parameters:
    extendedInformation - the extended information desired in the token (cannot be null, but can be empty)
    
    Returns:
    a new token that has not been issued previously, and is guaranteed to be recognised by this implementation's TokenService.verifyToken(String) at any future time.
  - verifyToken
```
public Token verifyToken(String key)
```
    Description copied from interface: TokenService
    
    Permits verification the <Token.getKey() was issued by this TokenService and reconstructs the corresponding Token.
    
    Specified by:
    
    verifyToken in interface TokenService
    
    Parameters:
    key - as obtained from Token.getKey() and created by this implementation
    
    Returns:
    the token, or null if the token was not issued by this TokenService
  - setServerSecret
```
public void setServerSecret(String serverSecret)
```
    Parameters:
    serverSecret - the new secret, which can contain a ":" if desired (never being sent to the client)
  - setSecureRandom
```
public void setSecureRandom(SecureRandom secureRandom)
```
  - setPseudoRandomNumberBits
```
public void setPseudoRandomNumberBits(int pseudoRandomNumberBytes)
```
    Deprecated. use setPseudoRandomNumberBytes(int)
    
    This method actually sets the number of bytes despite the method name indicating it is the number of bits.
    
    Parameters:
    pseudoRandomNumberBytes - changes the number of bytes issued (must be >= 0; defaults to 256)
  - setPseudoRandomNumberBytes
```
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes)
```
    Parameters:
    pseudoRandomNumberBytes - changes the number of bytes issued (must be >= 0; defaults to 256 for passivity reasons)
  - setServerInteger
```
public void setServerInteger(Integer serverInteger)
```
  - afterPropertiesSet
```
public void afterPropertiesSet()
                        throws Exception
```
    Specified by:
    
    afterPropertiesSet in interface InitializingBean
    
    Throws:
    
    Exception

Class KeyBasedPersistenceTokenService

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

KeyBasedPersistenceTokenService

Method Detail

allocateToken

verifyToken

setServerSecret

setSecureRandom

setPseudoRandomNumberBits

setPseudoRandomNumberBytes

setServerInteger

afterPropertiesSet