Annotation Type RememberMe
@Inherited
@InterceptorBinding
@Retention(RUNTIME)
@Target(TYPE)
public @interface RememberMe
For the remember me function the credentials provided by the caller are exchanged for a (long-lived) token which is send to the user as the value of a cookie, in a similar way to how the HTTP session ID is send. It should be realized that this token effectively becomes the credential to establish the caller's identity within the application and care should be taken to handle and store the token securely. E.g. by using this feature with a secure transport (SSL/HTTPS), storing a strong hash instead of the actual token, and implementing an expiration policy.
The token is vended by a special purpose IdentityStore
-like artifact; an implementation of the
RememberMeIdentityStore
.
This support is provided via an implementation of an interceptor spec interceptor that conducts the necessary logic.
Example:
@RequestScoped
@RememberMe
public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {
// ...
}
Jakarta Expression Language expressions in attributes of type String
are evaluated for every request requiring
authentication. Both immediate and deferred syntax is supported, but effectively the semantics
are always deferred.
Note: this facility DOES NOT constitute any kind of "session management" system, but instead
represents a special purpose authentication mechanism using a long-lived token, that is vended and validated by the
RememberMeIdentityStore
.
-
Optional Element Summary
Optional Elements Modifier and Type Optional Element Description boolean
cookieHttpOnly
Flag to indicate that the remember me cookie should not be exposed to client-side scripting code, and should only be sent with HTTP requests.java.lang.String
cookieHttpOnlyExpression
Jakarta Expression Language expression variant ofcookieHttpOnly()
.int
cookieMaxAgeSeconds
Max age in seconds for the remember me cookie.java.lang.String
cookieMaxAgeSecondsExpression
Jakarta Expression Language expression variant ofcookieMaxAgeSeconds()
.java.lang.String
cookieName
Name of the remember me cookie.boolean
cookieSecureOnly
Flag to indicate that the remember me cookie should only be sent using a secure protocol (e.g.java.lang.String
cookieSecureOnlyExpression
Jakarta Expression Language expression variant ofcookieSecureOnly()
.boolean
isRememberMe
Flag to determine if remember me should be used.java.lang.String
isRememberMeExpression
Jakarta Expression Language expression to determine if remember me should be used.
-
Element Details
-
cookieMaxAgeSeconds
int cookieMaxAgeSecondsMax age in seconds for the remember me cookie. Defaults to one day.- Returns:
- Max age in seconds
- See Also:
Cookie.setMaxAge(int)
- Default:
- 86400
-
cookieMaxAgeSecondsExpression
java.lang.String cookieMaxAgeSecondsExpressionJakarta Expression Language expression variant ofcookieMaxAgeSeconds()
. The expression needs to evaluate to an integer outcome. All named CDI beans are available to the expression as well as default classes as specified by Jakarta Expression Language 3.0 for theELProcessor
and the implicit objects "self" which refers to the interceptor target and "httpMessageContext" which refers to the currentHttpMessageContext
. If both this attribute andcookieMaxAgeSeconds()
are specified, this attribute takes precedence.- Returns:
- an expression evaluating to an integer designating the max age in seconds for the remember me cookie.
- Default:
- ""
-
cookieSecureOnly
boolean cookieSecureOnlyFlag to indicate that the remember me cookie should only be sent using a secure protocol (e.g. HTTPS or SSL).- Returns:
- true if the cookie should be sent using a secure protocol only false for any protocol.
- See Also:
Cookie.setSecure(boolean)
- Default:
- true
-
cookieSecureOnlyExpression
java.lang.String cookieSecureOnlyExpressionJakarta Expression Language expression variant ofcookieSecureOnly()
. The expression needs to evaluate to a boolean outcome. All named CDI beans are available to the expression as well as default classes as specified by Jakarta Expression Language 3.0 for theELProcessor
and the implicit objects "self" which refers to the interceptor target and "httpMessageContext" which refers to the currentHttpMessageContext
. If both this attribute andcookieSecureOnly()
are specified, this attribute takes precedence.- Returns:
- an expression evaluating to an integer designating the max age in seconds for the remember me cookie.
- Default:
- ""
-
cookieHttpOnly
boolean cookieHttpOnlyFlag to indicate that the remember me cookie should not be exposed to client-side scripting code, and should only be sent with HTTP requests.- Returns:
- true if the cookie should be sent only with HTTP requests (and not be made available to client-side scripting code), false otherwise.
- See Also:
Cookie.setHttpOnly(boolean)
- Default:
- true
-
cookieHttpOnlyExpression
java.lang.String cookieHttpOnlyExpressionJakarta Expression Language expression variant ofcookieHttpOnly()
. The expression needs to evaluate to a boolean outcome. All named CDI beans are available to the expression as well as default classes as specified by Jakarta Expression Language 3.0 for theELProcessor
and the implicit objects "self" which refers to the interceptor target and "httpMessageContext" which refers to the currentHttpMessageContext
. If both this attribute andcookieHttpOnly()
are specified, this attribute takes precedence.- Returns:
- an expression evaluating to true if the cookie should be sent only with HTTP requests , false otherwise.
- Default:
- ""
-
cookieName
java.lang.String cookieNameName of the remember me cookie.- Returns:
- The name of the cookie
- See Also:
Cookie.getName()
- Default:
- "JREMEMBERMEID"
-
isRememberMe
boolean isRememberMeFlag to determine if remember me should be used.- Returns:
- Flag to determine if remember me should be used
- Default:
- true
-
isRememberMeExpression
java.lang.String isRememberMeExpressionJakarta Expression Language expression to determine if remember me should be used. This is evaluated for every request requiring authentication. The expression needs to evaluate to a boolean outcome. All named CDI beans are available to the expression as well as default classes as specified by Jakarta Expression Language 3.0 for theELProcessor
and the implicit objects "self" which refers to the interceptor target and "httpMessageContext" which refers to the currentHttpMessageContext
.- Returns:
- Jakarta Expression Language expression to determine if remember me should be used
- Default:
- ""
-