/** * Implements the interface method by first {@link #getRememberedSerializedIdentity(SubjectContext) acquiring} * the remembered serialized byte array. Then it {@link #convertBytesToPrincipals(byte[], SubjectContext) converts} * them and returns the re-constituted {@link PrincipalCollection}. If no remembered principals could be * obtained, {@code null} is returned. * <p/> * If any exceptions are thrown, the {@link #onRememberedPrincipalFailure(RuntimeException, SubjectContext)} method * is called to allow any necessary post-processing (such as immediately removing any previously remembered * values for safety). * * @param subjectContext the contextual data, usually provided by a {@link Subject.Builder} implementation, that * is being used to construct a {@link Subject} instance. * @return the remembered principals or {@code null} if none could be acquired. */ public PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext) { PrincipalCollection principals = null; try { byte[] bytes = getRememberedSerializedIdentity(subjectContext); //SHIRO-138 - only call convertBytesToPrincipals if bytes exist: if (bytes != null && bytes.length > 0) { principals = convertBytesToPrincipals(bytes, subjectContext); } } catch (RuntimeException re) { principals = onRememberedPrincipalFailure(re, subjectContext); } return principals; }
/** * Remembers the specified account principals by first * {@link #convertPrincipalsToBytes(org.apache.shiro.subject.PrincipalCollection) converting} them to a byte * array and then {@link #rememberSerializedIdentity(org.apache.shiro.subject.Subject, byte[]) remembers} that * byte array. * * @param subject the subject for which the principals are being remembered. * @param accountPrincipals the principals to remember for retrieval later. */ protected void rememberIdentity(Subject subject, PrincipalCollection accountPrincipals) { byte[] bytes = convertPrincipalsToBytes(accountPrincipals); rememberSerializedIdentity(subject, bytes); }
/** * If a {@link #getCipherService() cipherService} is available, it will be used to first decrypt the byte array. * Then the bytes are then {@link #deserialize(byte[]) deserialized} and then returned. * * @param bytes the bytes to decrypt if necessary and then deserialize. * @param subjectContext the contextual data, usually provided by a {@link Subject.Builder} implementation, that * is being used to construct a {@link Subject} instance. * @return the de-serialized and possibly decrypted principals */ protected PrincipalCollection convertBytesToPrincipals(byte[] bytes, SubjectContext subjectContext) { if (getCipherService() != null) { bytes = decrypt(bytes); } return deserialize(bytes); }
/** * Converts the given principal collection the byte array that will be persisted to be 'remembered' later. * <p/> * This implementation first {@link #serialize(org.apache.shiro.subject.PrincipalCollection) serializes} the * principals to a byte array and then {@link #encrypt(byte[]) encrypts} that byte array. * * @param principals the {@code PrincipalCollection} to convert to a byte array * @return the representative byte array to be persisted for remember me functionality. */ protected byte[] convertPrincipalsToBytes(PrincipalCollection principals) { byte[] bytes = serialize(principals); if (getCipherService() != null) { bytes = encrypt(bytes); } return bytes; }
/** * Reacts to the successful login attempt by first always {@link #forgetIdentity(Subject) forgetting} any previously * stored identity. Then if the {@code token} * {@link #isRememberMe(org.apache.shiro.authc.AuthenticationToken) is a RememberMe} token, the associated identity * will be {@link #rememberIdentity(org.apache.shiro.subject.Subject, org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo) remembered} * for later retrieval during a new user session. * * @param subject the subject for which the principals are being remembered. * @param token the token that resulted in a successful authentication attempt. * @param info the authentication info resulting from the successful authentication attempt. */ public void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info) { //always clear any previous identity: forgetIdentity(subject); //now save the new identity: if (isRememberMe(token)) { rememberIdentity(subject, token, info); } else { if (log.isDebugEnabled()) { log.debug("AuthenticationToken did not indicate RememberMe is requested. " + "RememberMe functionality will not be executed for corresponding account."); } } }
/** * Decrypts the byte array using the configured {@link #getCipherService() cipherService}. * * @param encrypted the encrypted byte array to decrypt * @return the decrypted byte array returned by the configured {@link #getCipherService () cipher}. */ protected byte[] decrypt(byte[] encrypted) { byte[] serialized = encrypted; CipherService cipherService = getCipherService(); if (cipherService != null) { ByteSource byteSource = cipherService.decrypt(encrypted, getDecryptionCipherKey()); serialized = byteSource.getBytes(); } return serialized; }
/** * Encrypts the byte array by using the configured {@link #getCipherService() cipherService}. * * @param serialized the serialized object byte array to be encrypted * @return an encrypted byte array returned by the configured {@link #getCipherService () cipher}. */ protected byte[] encrypt(byte[] serialized) { byte[] value = serialized; CipherService cipherService = getCipherService(); if (cipherService != null) { ByteSource byteSource = cipherService.encrypt(serialized, getEncryptionCipherKey()); value = byteSource.getBytes(); } return value; }
/** * Remembers a subject-unique identity for retrieval later. This implementation first * {@link #getIdentityToRemember resolves} the exact * {@link PrincipalCollection principals} to remember. It then remembers the principals by calling * {@link #rememberIdentity(org.apache.shiro.subject.Subject, org.apache.shiro.subject.PrincipalCollection)}. * <p/> * This implementation ignores the {@link AuthenticationToken} argument, but it is available to subclasses if * necessary for custom logic. * * @param subject the subject for which the principals are being remembered. * @param token the token that resulted in a successful authentication attempt. * @param authcInfo the authentication info resulting from the successful authentication attempt. */ public void rememberIdentity(Subject subject, AuthenticationToken token, AuthenticationInfo authcInfo) { PrincipalCollection principals = getIdentityToRemember(subject, authcInfo); rememberIdentity(subject, principals); }
/** * Reacts to a subject logging out of the application and immediately * {@link #forgetIdentity(org.apache.shiro.subject.Subject) forgets} any previously stored identity and returns. * * @param subject the subject logging out. */ public void onLogout(Subject subject) { forgetIdentity(subject); } }
/** * Convenience method that returns the cipher key to use for <em>both</em> encryption and decryption. * <p/> * <b>N.B.</b> This method can only be called if the underlying {@link #getCipherService() cipherService} is a symmetric * CipherService which by definition uses the same key for both encryption and decryption. If using an asymmetric * CipherService public/private key pair, you cannot use this method, and should instead use the * {@link #getEncryptionCipherKey()} and {@link #getDecryptionCipherKey()} methods individually. * <p/> * The default {@link AesCipherService} instance is a symmetric cipher service, so this method can be used if you are * using the default. * * @return the symmetric cipher key used for both encryption and decryption. */ public byte[] getCipherKey() { //Since this method should only be used with symmetric ciphers //(where the enc and dec keys are the same), either is fine, just return one of them: return getEncryptionCipherKey(); }
/** * Converts the given principal collection the byte array that will be persisted to be 'remembered' later. * <p/> * This implementation first {@link #serialize(org.apache.shiro.subject.PrincipalCollection) serializes} the * principals to a byte array and then {@link #encrypt(byte[]) encrypts} that byte array. * * @param principals the {@code PrincipalCollection} to convert to a byte array * @return the representative byte array to be persisted for remember me functionality. */ protected byte[] convertPrincipalsToBytes(PrincipalCollection principals) { byte[] bytes = serialize(principals); if (getCipherService() != null) { bytes = encrypt(bytes); } return bytes; }
/** * Reacts to the successful login attempt by first always {@link #forgetIdentity(Subject) forgetting} any previously * stored identity. Then if the {@code token} * {@link #isRememberMe(org.apache.shiro.authc.AuthenticationToken) is a RememberMe} token, the associated identity * will be {@link #rememberIdentity(org.apache.shiro.subject.Subject, org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo) remembered} * for later retrieval during a new user session. * * @param subject the subject for which the principals are being remembered. * @param token the token that resulted in a successful authentication attempt. * @param info the authentication info resulting from the successful authentication attempt. */ public void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info) { //always clear any previous identity: forgetIdentity(subject); //now save the new identity: if (isRememberMe(token)) { rememberIdentity(subject, token, info); } else { if (log.isDebugEnabled()) { log.debug("AuthenticationToken did not indicate RememberMe is requested. " + "RememberMe functionality will not be executed for corresponding account."); } } }
/** * Decrypts the byte array using the configured {@link #getCipherService() cipherService}. * * @param encrypted the encrypted byte array to decrypt * @return the decrypted byte array returned by the configured {@link #getCipherService () cipher}. */ protected byte[] decrypt(byte[] encrypted) { byte[] serialized = encrypted; CipherService cipherService = getCipherService(); if (cipherService != null) { ByteSource byteSource = cipherService.decrypt(encrypted, getDecryptionCipherKey()); serialized = byteSource.getBytes(); } return serialized; }
/** * Encrypts the byte array by using the configured {@link #getCipherService() cipherService}. * * @param serialized the serialized object byte array to be encrypted * @return an encrypted byte array returned by the configured {@link #getCipherService () cipher}. */ protected byte[] encrypt(byte[] serialized) { byte[] value = serialized; CipherService cipherService = getCipherService(); if (cipherService != null) { ByteSource byteSource = cipherService.encrypt(serialized, getEncryptionCipherKey()); value = byteSource.getBytes(); } return value; }
/** * Remembers a subject-unique identity for retrieval later. This implementation first * {@link #getIdentityToRemember resolves} the exact * {@link PrincipalCollection principals} to remember. It then remembers the principals by calling * {@link #rememberIdentity(org.apache.shiro.subject.Subject, org.apache.shiro.subject.PrincipalCollection)}. * <p/> * This implementation ignores the {@link AuthenticationToken} argument, but it is available to subclasses if * necessary for custom logic. * * @param subject the subject for which the principals are being remembered. * @param token the token that resulted in a successful authentication attempt. * @param authcInfo the authentication info resulting from the successful authentication attempt. */ public void rememberIdentity(Subject subject, AuthenticationToken token, AuthenticationInfo authcInfo) { PrincipalCollection principals = getIdentityToRemember(subject, authcInfo); rememberIdentity(subject, principals); }
/** * Reacts to a failed login by immediately {@link #forgetIdentity(org.apache.shiro.subject.Subject) forgetting} any * previously remembered identity. This is an additional security feature to prevent any remenant identity data * from being retained in case the authentication attempt is not being executed by the expected user. * * @param subject the subject which executed the failed login attempt * @param token the authentication token resulting in a failed login attempt - ignored by this implementation * @param ae the exception thrown as a result of the failed login attempt - ignored by this implementation */ public void onFailedLogin(Subject subject, AuthenticationToken token, AuthenticationException ae) { forgetIdentity(subject); }
/** * Convenience method that returns the cipher key to use for <em>both</em> encryption and decryption. * <p/> * <b>N.B.</b> This method can only be called if the underlying {@link #getCipherService() cipherService} is a symmetric * CipherService which by definition uses the same key for both encryption and decryption. If using an asymmetric * CipherService public/private key pair, you cannot use this method, and should instead use the * {@link #getEncryptionCipherKey()} and {@link #getDecryptionCipherKey()} methods individually. * <p/> * The default {@link AesCipherService} instance is a symmetric cipher service, so this method can be used if you are * using the default. * * @return the symmetric cipher key used for both encryption and decryption. */ public byte[] getCipherKey() { //Since this method should only be used with symmetric ciphers //(where the enc and dec keys are the same), either is fine, just return one of them: return getEncryptionCipherKey(); }
/** * If a {@link #getCipherService() cipherService} is available, it will be used to first decrypt the byte array. * Then the bytes are then {@link #deserialize(byte[]) deserialized} and then returned. * * @param bytes the bytes to decrypt if necessary and then deserialize. * @param subjectContext the contextual data, usually provided by a {@link Subject.Builder} implementation, that * is being used to construct a {@link Subject} instance. * @return the de-serialized and possibly decrypted principals */ protected PrincipalCollection convertBytesToPrincipals(byte[] bytes, SubjectContext subjectContext) { if (getCipherService() != null) { bytes = decrypt(bytes); } return deserialize(bytes); }
/** * Converts the given principal collection the byte array that will be persisted to be 'remembered' later. * <p/> * This implementation first {@link #serialize(org.apache.shiro.subject.PrincipalCollection) serializes} the * principals to a byte array and then {@link #encrypt(byte[]) encrypts} that byte array. * * @param principals the {@code PrincipalCollection} to convert to a byte array * @return the representative byte array to be persisted for remember me functionality. */ protected byte[] convertPrincipalsToBytes(PrincipalCollection principals) { byte[] bytes = serialize(principals); if (getCipherService() != null) { bytes = encrypt(bytes); } return bytes; }
/** * Reacts to the successful login attempt by first always {@link #forgetIdentity(Subject) forgetting} any previously * stored identity. Then if the {@code token} * {@link #isRememberMe(org.apache.shiro.authc.AuthenticationToken) is a RememberMe} token, the associated identity * will be {@link #rememberIdentity(org.apache.shiro.subject.Subject, org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo) remembered} * for later retrieval during a new user session. * * @param subject the subject for which the principals are being remembered. * @param token the token that resulted in a successful authentication attempt. * @param info the authentication info resulting from the successful authentication attempt. */ public void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info) { //always clear any previous identity: forgetIdentity(subject); //now save the new identity: if (isRememberMe(token)) { rememberIdentity(subject, token, info); } else { if (log.isDebugEnabled()) { log.debug("AuthenticationToken did not indicate RememberMe is requested. " + "RememberMe functionality will not be executed for corresponding account."); } } }