HttpSessionOAuthRememberMeServices.java

package org.springframework.security.oauth.consumer.rememberme;

import java.util.HashMap;
import java.util.Map;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.security.oauth.consumer.OAuthConsumerToken;

/**
 * Default implementation of the OAuth2 rememberme services. Just stores everything in the session by default. Storing
 * access token can be suppressed to reduce long-term expose of these tokens in the underlying HTTP session.
 * 
 * @author Ryan Heaton
 * @author Alex Rau
 */
public class HttpSessionOAuthRememberMeServices implements OAuthRememberMeServices {

	public static final String REMEMBERED_TOKENS_KEY = HttpSessionOAuthRememberMeServices.class.getName()
			+ "#REMEMBERED_TOKENS";

	private boolean storeAccessTokens = true;

	@SuppressWarnings("unchecked")
	public Map<String, OAuthConsumerToken> loadRememberedTokens(HttpServletRequest request, HttpServletResponse response) {
		
		HttpSession session = request.getSession(false);

		if (session != null) {
			return (Map<String, OAuthConsumerToken>) session.getAttribute(REMEMBERED_TOKENS_KEY);
		}
		
		return null;
	}

	public void rememberTokens(Map<String, OAuthConsumerToken> tokens, HttpServletRequest request,
			HttpServletResponse response) {

		HttpSession session = request.getSession(false);

		if (session == null) {
			return;
		}

		Map<String, OAuthConsumerToken> requestTokensOnly = new HashMap<String, OAuthConsumerToken>();

		for (Map.Entry<String, OAuthConsumerToken> token : tokens.entrySet()) {
			if (storeAccessTokens && !token.getValue().isAccessToken())
				requestTokensOnly.put(token.getKey(), token.getValue());

		}

		session.setAttribute(REMEMBERED_TOKENS_KEY, requestTokensOnly);
	}
}