View Javadoc
1   /*
2    * Licensed to The Apereo Foundation under one or more contributor license
3    * agreements. See the NOTICE file distributed with this work for additional
4    * information regarding copyright ownership.
5    *
6    *
7    * The Apereo Foundation licenses this file to you under the Educational
8    * Community License, Version 2.0 (the "License"); you may not use this file
9    * except in compliance with the License. You may obtain a copy of the License
10   * at:
11   *
12   *   http://opensource.org/licenses/ecl2.txt
13   *
14   * Unless required by applicable law or agreed to in writing, software
15   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
17   * License for the specific language governing permissions and limitations under
18   * the License.
19   *
20   */
21  
22  package org.opencastproject.kernel.security;
23  
24  import org.slf4j.Logger;
25  import org.slf4j.LoggerFactory;
26  import org.springframework.security.core.userdetails.UserDetailsService;
27  import org.springframework.security.crypto.codec.Hex;
28  import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
29  
30  import java.security.MessageDigest;
31  import java.security.NoSuchAlgorithmException;
32  
33  /**
34   * This implements a zero-configuration version Spring Security's token based remember-me service. While the key can
35   * still be augmented by configuration, it is generally generated based on seldom changing but unique system
36   * properties like hostname, IP address, file system information and Linux kernel.
37   */
38  public class SystemTokenBasedRememberMeService extends TokenBasedRememberMeServices {
39    private Logger logger = LoggerFactory.getLogger(SystemTokenBasedRememberMeService.class);
40  
41    @Deprecated
42    public SystemTokenBasedRememberMeService() {
43      super();
44    }
45  
46    public SystemTokenBasedRememberMeService(String key, UserDetailsService userDetailsService) {
47      super(SystemTokenRememberMeUtils.augmentKey(key), userDetailsService);
48    }
49  
50    /**
51     * Set a new key to be used when generating remember-me tokens.
52     *
53     * Note that the key passed to this method will be augmented by seldom changing but generally unique system
54     * properties like hostname, IP address, file system information and Linux kernel. Hence, even setting no custom
55     * key should be save.
56     */
57    @Override
58    public void setKey(String key) {
59      super.setKey(SystemTokenRememberMeUtils.augmentKey(key));
60    }
61  
62    /**
63     * Calculates the digital signature to be put in the cookie. Default value is
64     * SHA-512 ("username:tokenExpiryTime:password:key")
65     */
66    @Override
67    protected String makeTokenSignature(long tokenExpiryTime, String username, String password) {
68      String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();
69      MessageDigest digest;
70      try {
71        digest = MessageDigest.getInstance("SHA-512");
72      } catch (NoSuchAlgorithmException e) {
73        throw new IllegalStateException("No SHA-512 algorithm available!");
74      }
75  
76      return new String(Hex.encode(digest.digest(data.getBytes())));
77    }
78  }