Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Code Block
    // dependencies in your pom.xml 
    <dependency>
     <groupId>org.tynamo.security</groupId>
     <artifactId>tynamo-federatedaccounts-rollingtokens</artifactId>
     <version>0.4.3</version>
    </dependency>

    @Contribute(FederatedAccountService.class)
	public static void contributeFederatedAccountService(MappedConfiguration<String, Object> configuration) {
        configuration.add("rollingtokens", UserAccount.class);
        configuration.add("rollingtokens" + FederatedAccountService.IDPROPERTY, "id");
	}

	// Need to tell principal type to rolling tokens so it can be persisted properly with the ExpiringRollingToken
    public static void contributeApplicationDefaults(MappedConfiguration<String, String> configuration) {
        configuration.add(RollingTokenSymbols.CONFIGURED_PRINCIPALTYPE, Long.class.getName());
    }

	// rollingtokens is currently JPA only
    @Contribute(JpaEntityPackageManager.class)
    public static void addPackagesToScan(Configuration<String> configuration) {
        configuration.add(ExpiringRollingToken.class.getPackage().getName());
    } 

Rollingtoken plays especially well with Shiro's built-in rememberMe and Subject.authenticated feature. In Shiro's default rememberMe a Subject "is remembered, they are NOT considered authenticated". Together with rollingtokens, two cookies are issued to the user. If the matching principal is found but rollingtoken authentication fails, Subject.isAuthenticated() returns false and true if matching server-side token was found and hadn't expired, just as if user had signed in with a username/password pair. Note however, that rollingtokens does weaken the security compared to secure form-based authentication (but is in some ways more secure than BASIC or form-based authentication over plain HTTP).

 // configuration.add(FederatedAccountType.pac4j_.name() + SupportedClient.google2.name(), GoogleAccount.class);