InvalidatableUserDetails.java

/*******************************************************************************
 *
 * Copyright (c) 2004-2009 Oracle Corporation.
 *
 * All rights reserved. This program and the accompanying materials
 * are made available under the terms of the Eclipse Public License v1.0
 * which accompanies this distribution, and is available at
 * http://www.eclipse.org/legal/epl-v10.html
 *
 * Contributors:
 * 
 *    Kohsuke Kawaguchi
 *
 *
 *******************************************************************************/ 

package hudson.security;


import javax.servlet.http.HttpSession;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.userdetails.UserDetails;

/**
 * {@link UserDetails} that can mark {@link Authentication} invalid.
 *
 * <p> Tomcat persists sessions by using Java serialization (and that includes
 * the security token created by Spring Security, which includes this object)
 * and when that happens, the next time the server comes back it will try to
 * deserialize {@link SecurityContext} that Spring Security puts into
 * {@link HttpSession} (which transitively includes {@link UserDetails} that can
 * be implemented by Hudson.
 *
 * <p> Such {@link UserDetails} implementation can override the
 * {@link #isInvalid()} method and return false, so that such
 * {@link SecurityContext} will be dropped before the rest of Spring Security
 * sees it.
 *
 * <p> See http://issues.hudson-ci.org/browse/HUDSON-1482
 *
 * @author Kohsuke Kawaguchi
 * @deprecated Starting 1.285, Hudson stops persisting {@link Authentication}
 * altogether (see {@link NotSerilizableSecurityContext}), so there's no need to
 * use this mechanism.
 */
public interface InvalidatableUserDetails extends UserDetails {

    boolean isInvalid();
}