Annotation Interface RememberMe


The RememberMe annotation provides an application the ability to declaratively designate that an authentication mechanism effectively "remembers" the authentication and auto applies this with every request.

For the remember me function the credentials provided by the caller are exchanged for a (long-lived) token which is send to the user as the value of a cookie, in a similar way to how the HTTP session ID is send. It should be realized that this token effectively becomes the credential to establish the caller's identity within the application and care should be taken to handle and store the token securely. E.g. by using this feature with a secure transport (SSL/HTTPS), storing a strong hash instead of the actual token, and implementing an expiration policy.

The token is vended by a special purpose IdentityStore-like artifact; an implementation of the RememberMeIdentityStore.

This support is provided via an implementation of an interceptor spec interceptor that conducts the necessary logic.

Example:

 
     @RequestScoped
     @RememberMe
     public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {
         // ...
     }
 
 

Jakarta Expression Language expressions in attributes of type String are evaluated for every request requiring authentication. Both immediate and deferred syntax is supported, but effectively the semantics are always deferred.

Note: this facility DOES NOT constitute any kind of "session management" system, but instead represents a special purpose authentication mechanism using a long-lived token, that is vended and validated by the RememberMeIdentityStore.