Token Service is used in authentication. The token system prevents user account information being sent in the clear text mode within inbound requests. This increases authentication security.
The token service allows administrators to create, delete, retrieve and clean tokens as required. The service also defines a validity period of any given token. The token becomes invalid once this period expires.
All token services used in the GateIn Portal authentication must be implemented by subclassing an AbstractTokenService abstract class. The following AbstractTokenService methods represent the contract between authentication runtime, and a token service implementation.
public Token getToken(String id) throws PathNotFoundException, RepositoryException; public Token deleteToken(String id) throws PathNotFoundException, RepositoryException; public String[] getAllTokens(); public long getNumberTokens() throws Exception; public String createToken(Credentials credentials) throws IllegalArgumentException,NullPointerException; public Credentials validateToken(String tokenKey, boolean remove) throws NullPointerException;
The token services configuration includes specifying the token validity period. The token service is configured as a portal component (in the portal scope, as opposed to the root scope - See Foundations for more information).
In the example below, CookieTokenService is a subclass of AbstractTokenService, so it has a property which specifies the validity period of the token.
The token service will initialize this validity property by looking for an init-param named service.configuration.
This property must have three values.
<component>
<key>org.exoplatform.web.security.security.CookieTokenService</key>
<type>org.exoplatform.web.security.security.CookieTokenService</type>
<init-params>
<values-param>
<name>service.configuration</name>
<value>jcr-token</value>
<value>7</value>
<value>DAY</value>
</values-param>
</init-params>
</component>
Service name
Amount of time
Unit of time
In this case, the service name is jcr-token and the token expiration time is one week.
GateIn Portal supports four time units:
SECOND
MINUTE
HOUR
DAY
In response to configuration necessities of JUnit tests, GateIn introduced additional initial parameter named cleanup.period.time.
<init-params> <value-param> <name>cleanup.period.time</name> <value>0</value> </value-param> </init-params>
cleanup.period.time determines the period of token cleanup (cleanup work is executed in a worker thread), it takes SECOND as time unit. As the parameter value does not exceed 0, worker thread will not start, as desired in JUnit tests.
In GateIn Portal we have special codec component, which is used to encode sensitive informations before they are saved into DB and decode them once they need to be obtained back. Actually it's used in GateIn Portal for CookieTokenService as described above and also for encoding/decoding OAuth access token informations before they are saved in Picketlink IDM as described in OAuth documentation.
Configuration of codec can look like this:
<component>
<type>org.exoplatform.web.security.codec.CodecInitializer</type>
<init-params>
<value-param>
<name>gatein.conf.dir</name>
<value>jar:/conf</value>
</value-param>
</init-params>
</component>
gatein.conf.dir specifies the codec key folder of service, it is useful in environments where JVM property gatein.conf.dir is undefined. Value of this param matches URL rules of Kernel framework (jar:/ , war:/ schemes)