Home Java javaTutorial Implementing One-Time Token Authentication with Spring Security

Implementing One-Time Token Authentication with Spring Security

Dec 04, 2024 pm 05:11 PM

Implementing One-Time Token Authentication with Spring Security

In today's digital landscape, providing secure and user-friendly authentication methods is crucial. One such method gaining popularity is One-Time Token (OTT) authentication, often implemented as "magic links" sent via email. Spring Security 6.4.0 provides robust built-in support for OTT authentication, including ready-to-use implementations. In this comprehensive guide, we'll explore how to implement secure OTT authentication using both built-in solutions and custom implementations.

Understanding One-Time Tokens vs. One-Time Passwords

Before diving into implementation, it's important to understand that One-Time Tokens (OTT) differ from One-Time Passwords (OTP). While OTP systems typically require initial setup and rely on external tools for password generation, OTT systems are simpler from a user perspective - they receive a unique token (usually via email) that they can use to authenticate.

Key differences include:

  • OTT doesn't require initial user setup
  • Tokens are generated and delivered by your application
  • Each token is typically valid for a single use and expires after a set time

Available Built-in Implementations

Spring Security provides two implementations of OneTimeTokenService:

  1. InMemoryOneTimeTokenService:

    • Stores tokens in memory
    • Ideal for development and testing
    • Not suitable for production or clustered environments
    • Tokens are lost on application restart
  2. JdbcOneTimeTokenService:

    • Stores tokens in a database
    • Suitable for production use
    • Works in clustered environments
    • Persistent storage with automatic cleanup

Using InMemoryOneTimeTokenService

Here's how to implement the simpler in-memory solution:

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login/**", "/ott/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin(Customizer.withDefaults());  // Uses InMemoryOneTimeTokenService by default

        return http.build();
    }
}
Copy after login
Copy after login

Using JdbcOneTimeTokenService

For production environments, use the JDBC implementation:

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Autowired
    JdbcTemplate jdbcTemplate;

    @Bean
    public OneTimeTokenService oneTimeTokenService() {
        return new JdbcOneTimeTokenService(jdbcTemplate);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login/**", "/ott/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin(Customizer.withDefaults());

        return http.build();
    }
}
Copy after login
Copy after login

Required table structure for JdbcOneTimeTokenService:

CREATE TABLE one_time_tokens (
    token_value VARCHAR(255) PRIMARY KEY,
    username VARCHAR(255) NOT NULL,
    issued_at TIMESTAMP NOT NULL,
    expires_at TIMESTAMP NOT NULL,
    used BOOLEAN NOT NULL
);
Copy after login

Custom Implementation

For more control over the token generation and validation process, you can create a custom implementation:

1. Token Entity and Repository

@Entity
@Table(name = "one_time_tokens")
public class OneTimeToken {
    @Id
    @GeneratedValue
    private Long id;

    private String tokenValue;
    private String username;
    private LocalDateTime createdAt;
    private LocalDateTime expiresAt;
    private boolean used;

    // Getters and setters omitted for brevity
}

@Repository
public interface OneTimeTokenRepository extends JpaRepository<OneTimeToken, Long> {
    Optional<OneTimeToken> findByTokenValueAndUsedFalse(String tokenValue);
    void deleteByExpiresAtBefore(LocalDateTime dateTime);
}
Copy after login

2. Custom Token Service

@Service
@Transactional
public class PersistentOneTimeTokenService implements OneTimeTokenService {
    private static final int TOKEN_VALIDITY_MINUTES = 15;

    @Autowired
    private OneTimeTokenRepository tokenRepository;

    @Override
    public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
        String tokenValue = UUID.randomUUID().toString();
        LocalDateTime now = LocalDateTime.now();

        OneTimeToken token = new OneTimeToken();
        token.setTokenValue(tokenValue);
        token.setUsername(request.getUsername());
        token.setCreatedAt(now);
        token.setExpiresAt(now.plusMinutes(TOKEN_VALIDITY_MINUTES));
        token.setUsed(false);

        return return new DefaultOneTimeToken(token.getTokenValue(),token.getUsername(), Instant.now());
    }

    @Override
    public Authentication consume(ConsumeOneTimeTokenRequest request) {
        OneTimeToken token = tokenRepository.findByTokenValueAndUsedFalse(request.getTokenValue())
            .orElseThrow(() -> new BadCredentialsException("Invalid or expired token"));

        if (token.getExpiresAt().isBefore(LocalDateTime.now())) {
            throw new BadCredentialsException("Token has expired");
        }

        token.setUsed(true);
        tokenRepository.save(token);

        UserDetails userDetails = loadUserByUsername(token.getUsername());
        return new UsernamePasswordAuthenticationToken(
            userDetails, null, userDetails.getAuthorities());
    }
}
Copy after login

Implementing Token Delivery

Spring Security doesn't handle token delivery, so you'll need to implement it:

@Component
public class EmailMagicLinkHandler implements OneTimeTokenGenerationSuccessHandler {
    @Autowired
    private JavaMailSender mailSender;

    private final OneTimeTokenGenerationSuccessHandler redirectHandler = 
        new RedirectOneTimeTokenGenerationSuccessHandler("/ott/check-email");

    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, 
                      OneTimeToken token) throws IOException, ServletException {
        String magicLink = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
            .replacePath(request.getContextPath())
            .replaceQuery(null)
            .fragment(null)
            .path("/login/ott")
            .queryParam("token", token.getTokenValue())
            .toUriString();

        SimpleMailMessage message = new SimpleMailMessage();
        message.setTo(getUserEmail(token.getUsername()));
        message.setSubject("Your Sign-in Link");
        message.setText("Click here to sign in: " + magicLink);

        mailSender.send(message);
        redirectHandler.handle(request, response, token);
    }
}
Copy after login

Customizing URLs and Pages

Spring Security provides several customization options:

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login/**", "/ott/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin(Customizer.withDefaults());  // Uses InMemoryOneTimeTokenService by default

        return http.build();
    }
}
Copy after login
Copy after login

Production Considerations

When deploying OTT authentication in production:

  1. Choose the Right Implementation

    • Use JdbcOneTimeTokenService or custom implementation for production
    • InMemoryOneTimeTokenService should only be used for development/testing
  2. Configure Email Delivery

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Autowired
    JdbcTemplate jdbcTemplate;

    @Bean
    public OneTimeTokenService oneTimeTokenService() {
        return new JdbcOneTimeTokenService(jdbcTemplate);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login/**", "/ott/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(Customizer.withDefaults())
            .oneTimeTokenLogin(Customizer.withDefaults());

        return http.build();
    }
}
Copy after login
Copy after login
  1. Security Best Practices
    • Set appropriate token expiration times (15 minutes recommended)
    • Implement rate limiting for token generation
    • Use HTTPS for all endpoints
    • Monitor failed authentication attempts
    • Ensure tokens are single-use and invalidated immediately after use
    • Implement automatic cleanup of expired tokens
    • Use secure random token generation to prevent guessing

How It Works

  1. User requests a token by submitting their email address
  2. System generates a secure token and sends a magic link via email
  3. User clicks the link and is redirected to the token submission page
  4. System validates the token and authenticates the user if valid

Conclusion

Spring Security's OTT support provides a robust foundation for implementing secure, user-friendly authentication. Whether you choose the built-in implementations or create a custom solution, you can offer your users a passwordless login option while maintaining high security standards.

When implementing OTT authentication, remember to:

  • Choose the appropriate implementation for your environment
  • Implement secure token delivery
  • Configure proper token expiration
  • Follow security best practices
  • Create user-friendly error handling and redirects
  • Implement proper email templating for a professional look

By following this guide, you can implement a secure and user-friendly OTT authentication system that meets your application's needs while leveraging Spring Security's robust security features.

Reference: https://docs.spring.io/spring-security/reference/servlet/authentication/onetimetoken.html

The above is the detailed content of Implementing One-Time Token Authentication with Spring Security. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Top 4 JavaScript Frameworks in 2025: React, Angular, Vue, Svelte Top 4 JavaScript Frameworks in 2025: React, Angular, Vue, Svelte Mar 07, 2025 pm 06:09 PM

Top 4 JavaScript Frameworks in 2025: React, Angular, Vue, Svelte

How do I implement multi-level caching in Java applications using libraries like Caffeine or Guava Cache? How do I implement multi-level caching in Java applications using libraries like Caffeine or Guava Cache? Mar 17, 2025 pm 05:44 PM

How do I implement multi-level caching in Java applications using libraries like Caffeine or Guava Cache?

Node.js 20: Key Performance Boosts and New Features Node.js 20: Key Performance Boosts and New Features Mar 07, 2025 pm 06:12 PM

Node.js 20: Key Performance Boosts and New Features

How does Java's classloading mechanism work, including different classloaders and their delegation models? How does Java's classloading mechanism work, including different classloaders and their delegation models? Mar 17, 2025 pm 05:35 PM

How does Java's classloading mechanism work, including different classloaders and their delegation models?

Iceberg: The Future of Data Lake Tables Iceberg: The Future of Data Lake Tables Mar 07, 2025 pm 06:31 PM

Iceberg: The Future of Data Lake Tables

Spring Boot SnakeYAML 2.0 CVE-2022-1471 Issue Fixed Spring Boot SnakeYAML 2.0 CVE-2022-1471 Issue Fixed Mar 07, 2025 pm 05:52 PM

Spring Boot SnakeYAML 2.0 CVE-2022-1471 Issue Fixed

How can I use JPA (Java Persistence API) for object-relational mapping with advanced features like caching and lazy loading? How can I use JPA (Java Persistence API) for object-relational mapping with advanced features like caching and lazy loading? Mar 17, 2025 pm 05:43 PM

How can I use JPA (Java Persistence API) for object-relational mapping with advanced features like caching and lazy loading?

How can I implement functional programming techniques in Java? How can I implement functional programming techniques in Java? Mar 11, 2025 pm 05:51 PM

How can I implement functional programming techniques in Java?

See all articles