Package org.apache.shiro.web.mgt

Class CookieRememberMeManager

java.lang.Object
org.apache.shiro.mgt.AbstractRememberMeManager
org.apache.shiro.web.mgt.CookieRememberMeManager
All Implemented Interfaces:
org.apache.shiro.mgt.RememberMeManager
public class CookieRememberMeManager extends org.apache.shiro.mgt.AbstractRememberMeManager
Remembers a Subject's identity by saving the Subject's principals to a Cookie for later retrieval.

Cookie attributes (path, domain, maxAge, etc.) may be set on this class's default cookie attribute, which acts as a template to use to set all properties of outgoing cookies created by this implementation.

The default cookie has the following attribute values set:

Attribute Name Value
name rememberMe
path /
maxAge Cookie.ONE_YEAR

Note that because this class subclasses the AbstractRememberMeManager which already provides serialization and encryption logic, this class utilizes both for added security before setting the cookie value.

Since:
1.0

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    DEFAULT_REMEMBER_ME_COOKIE_NAME
    The default name of the underlying rememberMe cookie which is rememberMe.

  • Constructor Summary

    Constructors
    Constructor
    Description
    CookieRememberMeManager()
    Constructs a new CookieRememberMeManager with a default rememberMe cookie template.
    CookieRememberMeManager(Supplier<byte[]> keySupplier)
    Constructor.

  • Method Summary

    Modifier and Type
    Method
    Description
    protected String
    ensurePadding(String base64)
    Sometimes a user agent will send the rememberMe cookie value without padding, most likely because = is a separator in the cookie header.
    protected void
    forgetIdentity(org.apache.shiro.subject.Subject subject)
    Removes the 'rememberMe' cookie from the associated WebSubject's request/response pair.
    void
    forgetIdentity(org.apache.shiro.subject.SubjectContext subjectContext)
    Removes the 'rememberMe' cookie from the associated WebSubjectContext's request/response pair.
    Cookie
    getCookie()
    Returns the cookie 'template' that will be used to set all attributes of outgoing rememberMe cookies created by this RememberMeManager.
    protected byte[]
    getRememberedSerializedIdentity(org.apache.shiro.subject.SubjectContext subjectContext)
    Returns a previously serialized identity byte array or null if the byte array could not be acquired.
    protected void
    rememberSerializedIdentity(org.apache.shiro.subject.Subject subject, byte[] serialized)
    Base64-encodes the specified serialized byte array and sets that base64-encoded String as the cookie value.
    void
    setCookie(Cookie cookie)
    Sets the cookie 'template' that will be used to set all attributes of outgoing rememberMe cookies created by this RememberMeManager.

    Methods inherited from class org.apache.shiro.mgt.AbstractRememberMeManager

    convertBytesToPrincipals, convertPrincipalsToBytes, decrypt, deserialize, encrypt, getCipherKey, getCipherService, getDecryptionCipherKey, getEncryptionCipherKey, getIdentityToRemember, getRememberedPrincipals, getSerializer, isRememberMe, onFailedLogin, onLogout, onRememberedPrincipalFailure, onSuccessfulLogin, rememberIdentity, rememberIdentity, serialize, setCipherKey, setCipherService, setDecryptionCipherKey, setEncryptionCipherKey, setSerializer

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

  • Constructor Details

    • CookieRememberMeManager

      public CookieRememberMeManager()
      Constructs a new CookieRememberMeManager with a default rememberMe cookie template.

    • CookieRememberMeManager

      public CookieRememberMeManager(Supplier<byte[]> keySupplier)
      Constructor. Pass keySupplier that supplies encryption key
      Parameters:
      keySupplier -
      Since:
      2.0

  • Method Details

    • getCookie

      public Cookie getCookie()
      Returns the cookie 'template' that will be used to set all attributes of outgoing rememberMe cookies created by this RememberMeManager. Outgoing cookies will match this one except for the value attribute, which is necessarily set dynamically at runtime.

      Please see the class-level JavaDoc for the default cookie's attribute values.

      Returns:
      the cookie 'template' that will be used to set all attributes of outgoing rememberMe cookies created by this RememberMeManager.

    • setCookie

      public void setCookie(Cookie cookie)
      Sets the cookie 'template' that will be used to set all attributes of outgoing rememberMe cookies created by this RememberMeManager. Outgoing cookies will match this one except for the value attribute, which is necessarily set dynamically at runtime.

      Please see the class-level JavaDoc for the default cookie's attribute values.

      Parameters:
      cookie - the cookie 'template' that will be used to set all attributes of outgoing rememberMe cookies created by this RememberMeManager.

    • rememberSerializedIdentity

      protected void rememberSerializedIdentity(org.apache.shiro.subject.Subject subject, byte[] serialized)
      Base64-encodes the specified serialized byte array and sets that base64-encoded String as the cookie value.

      The subject instance is expected to be a WebSubject instance with an HTTP Request/Response pair so an HTTP cookie can be set on the outgoing response. If it is not a WebSubject or that WebSubject does not have an HTTP Request/Response pair, this implementation does nothing.

      Specified by:
      rememberSerializedIdentity in class org.apache.shiro.mgt.AbstractRememberMeManager
      Parameters:
      subject - the Subject for which the identity is being serialized.
      serialized - the serialized bytes to be persisted.

    • getRememberedSerializedIdentity

      protected byte[] getRememberedSerializedIdentity(org.apache.shiro.subject.SubjectContext subjectContext)
      Returns a previously serialized identity byte array or null if the byte array could not be acquired. This implementation retrieves an HTTP cookie, Base64-decodes the cookie value, and returns the resulting byte array.

      The SubjectContext instance is expected to be a WebSubjectContext instance with an HTTP Request/Response pair so an HTTP cookie can be retrieved from the incoming request. If it is not a WebSubjectContext or that WebSubjectContext does not have an HTTP Request/Response pair, this implementation returns null.

      Specified by:
      getRememberedSerializedIdentity in class org.apache.shiro.mgt.AbstractRememberMeManager
      Parameters:
      subjectContext - the contextual data, usually provided by a Subject.Builder implementation, that is being used to construct a Subject instance. To be used to assist with data lookup.
      Returns:
      a previously serialized identity byte array or null if the byte array could not be acquired.

    • ensurePadding

      protected String ensurePadding(String base64)
      Sometimes a user agent will send the rememberMe cookie value without padding, most likely because = is a separator in the cookie header.

      Contributed by Luis Arias. Thanks Luis!

      Parameters:
      base64 - the base64 encoded String that may need to be padded
      Returns:
      the base64 String padded if necessary.

    • forgetIdentity

      protected void forgetIdentity(org.apache.shiro.subject.Subject subject)
      Removes the 'rememberMe' cookie from the associated WebSubject's request/response pair.

      The subject instance is expected to be a WebSubject instance with an HTTP Request/Response pair. If it is not a WebSubject or that WebSubject does not have an HTTP Request/Response pair, this implementation does nothing.

      Specified by:
      forgetIdentity in class org.apache.shiro.mgt.AbstractRememberMeManager
      Parameters:
      subject - the subject instance for which identity data should be forgotten from the underlying persistence

    • forgetIdentity

      public void forgetIdentity(org.apache.shiro.subject.SubjectContext subjectContext)
      Removes the 'rememberMe' cookie from the associated WebSubjectContext's request/response pair.

      The SubjectContext instance is expected to be a WebSubjectContext instance with an HTTP Request/Response pair. If it is not a WebSubjectContext or that WebSubjectContext does not have an HTTP Request/Response pair, this implementation does nothing.

      Parameters:
      subjectContext - the contextual data, usually provided by a Subject.Builder implementation