@Inherited @InterceptorBinding @Retention(value=RUNTIME) @Target(value=TYPE) public @interface RememberMe
For the remember me function the credentials provided by the caller are exchanged for a (long-lived) token which is send to the user as the value of a cookie, in a similar way to how the HTTP session ID is send. It should be realized that this token effectively becomes the credential to establish the caller's identity within the application and care should be taken to handle and store the token securely. E.g. by using this feature with a secure transport (SSL/HTTPS), storing a strong hash instead of the actual token, and implementing an expiration policy.
The token is vended by a special purpose IdentityStore
-like artifact; an implementation of the
RememberMeIdentityStore
.
This support is provided via an implementation of an interceptor spec interceptor that conducts the necessary logic.
Example:
@RequestScoped
@RememberMe
public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {
// ...
}
Jakarta Expression Language expressions in attributes of type String
are evaluated for every request requiring
authentication. Both immediate and deferred syntax is supported, but effectively the semantics
are always deferred.
Note: this facility DOES NOT constitute any kind of "session management" system, but instead
represents a special purpose authentication mechanism using a long-lived token, that is vended and validated by the
RememberMeIdentityStore
.
Modifier and Type | Optional Element and Description |
---|---|
boolean |
cookieHttpOnly
Flag to indicate that the remember me cookie should not be exposed to
client-side scripting code, and should only be sent with HTTP requests.
|
java.lang.String |
cookieHttpOnlyExpression
Jakarta Expression Language expression variant of
cookieHttpOnly() . |
int |
cookieMaxAgeSeconds
Max age in seconds for the remember me cookie.
|
java.lang.String |
cookieMaxAgeSecondsExpression
Jakarta Expression Language expression variant of
cookieMaxAgeSeconds() . |
java.lang.String |
cookieName
Name of the remember me cookie.
|
boolean |
cookieSecureOnly
Flag to indicate that the remember me cookie should only be
sent using a secure protocol (e.g.
|
java.lang.String |
cookieSecureOnlyExpression
Jakarta Expression Language expression variant of
cookieSecureOnly() . |
boolean |
isRememberMe
Flag to determine if remember me should be used.
|
java.lang.String |
isRememberMeExpression
Jakarta Expression Language expression to determine if remember me should be used.
|
public abstract int cookieMaxAgeSeconds
Cookie.setMaxAge(int)
public abstract java.lang.String cookieMaxAgeSecondsExpression
cookieMaxAgeSeconds()
. The expression needs to
evaluate to an integer outcome. All named CDI beans are available to the expression as well as default classes as
specified by Jakarta Expression Language 3.0 for the ELProcessor
and the implicit objects "self" which refers
to the interceptor target and "httpMessageContext" which refers to the current HttpMessageContext
. If both
this attribute and cookieMaxAgeSeconds()
are specified, this attribute takes precedence.public abstract boolean cookieSecureOnly
Cookie.setSecure(boolean)
public abstract java.lang.String cookieSecureOnlyExpression
cookieSecureOnly()
. The expression needs to evaluate
to a boolean outcome. All named CDI beans are available to the expression as well as default classes as specified by
Jakarta Expression Language 3.0 for the ELProcessor
and the implicit objects "self" which refers to the
interceptor target and "httpMessageContext" which refers to the current HttpMessageContext
. If both this
attribute and cookieSecureOnly()
are specified, this attribute takes precedence.public abstract boolean cookieHttpOnly
Cookie.setHttpOnly(boolean)
public abstract java.lang.String cookieHttpOnlyExpression
cookieHttpOnly()
. The expression needs to evaluate to
a boolean outcome. All named CDI beans are available to the expression as well as default classes as specified by
Jakarta Expression Language 3.0 for the ELProcessor
and the implicit objects "self" which refers to the
interceptor target and "httpMessageContext" which refers to the current HttpMessageContext
. If both this
attribute and cookieHttpOnly()
are specified, this attribute takes precedence.public abstract java.lang.String cookieName
Cookie.getName()
public abstract boolean isRememberMe
public abstract java.lang.String isRememberMeExpression
ELProcessor
and the implicit objects "self" which refers to the interceptor target and "httpMessageContext"
which refers to the current HttpMessageContext
.