Enhanced Security: By reducing our reliance on passwords, we minimize the risk of password-related vulnerabilities. This means no more weak passwords, no more password reuse across different sites, and even if someone intercepts a token, it’s likely to be expired and useless.<\/p>\n<\/li>\n
Improve User Experience: Let’s face it, remembering passwords can be a pain. One-Time Tokens simplify the process, allowing users to click a link or enter a short code, making login a smoother experience.<\/p>\n<\/li>\n
Fewer Password Reset: With One-Time Tokens, the need for password resets decreases significantly. Since users don’t have to constantly remember and re-enter passwords, there’s less to forget in the first place.<\/p>\n<\/li>\n<\/ul>\n
Let’s dive into the world of One-Time Tokens login with Spring Security! We will explore what they are and how we can actually implement them.<\/p>\n
One-Time Token Login: The Flow<\/h2>\n\n- You navigate to the login page and enter your email address to start the process.<\/li>\n
- The application generates a unique, one-time token. This token is a long, random string that’s impossible to guess.<\/li>\n
- The system sends this token to you via email, SMS, or WhatsApp.<\/li>\n
- You receive the token and enter it on the login page. Often, you’ll just click a magic link in the message that contains the token.<\/li>\n
- The web application receives the token and checks:\n
\n- Is the token valid? (Does it match one we generated?)<\/li>\n
- Has it expired? (One-time tokens have a short lifespan for security)<\/li>\n
- Has it already been used? (Remember, it’s one-time use only!)<\/li>\n<\/ul>\n<\/li>\n
- If everything checks out, you’re logged in. The web application establishes a session for you.<\/li>\n<\/ol>\n
Let\u2019s Build This Thing!<\/h2>\nMaven<\/h3>\n
To enable the One-Time Token feature, we need to include the spring-boot-starter-security<\/code> and spring-boot-starter-web<\/code> dependencies.<\/p>\n\n<dependencies>\n <dependency>\n <groupId>org.springframework.boot<\/groupId>\n <artifactId>spring-boot-starter-web<\/artifactId>\n <\/dependency>\n <dependency>\n <groupId>org.springframework.boot<\/groupId>\n <artifactId>spring-boot-starter-security<\/artifactId>\n <\/dependency>\n<\/dependencies><\/code><\/pre>\n<\/div>\nSpring Security Configuration<\/h3>\n
Next, we configure the Spring Security and enable the form-login and One-Time Token Login:<\/p>\n
\n@Configuration\n@EnableWebSecurity\npublic class SecurityConfig {\n\n @Bean\n public SecurityFilterChain securityFilterChain(\n HttpSecurity http,\n SendLinkOneTimeTokenGenerationSuccessHandler successHandler,\n CustomOneTimeTokenService customOneTimeTokenService)\n throws Exception {\n AuthenticationSuccessHandler ottLoginsuccessHandler =\n (request, response, authentication) -> response.sendRedirect(\"\/\");\n\n http.csrf(Customizer.withDefaults())\n .authorizeHttpRequests(\n authorize ->\n authorize\n .requestMatchers(\"\/error\", \"\/\", \"\/images\/**\", \"\/js\/*.js\", \"\/css\/*.css\")\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/authentication\/login\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/logout\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/webjars\/**\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/ott\/sent\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/ott\/submit\"))\n .permitAll()\n .anyRequest()\n .authenticated())\n .formLogin(\n form ->\n form.loginPage(\"\/authentication\/login\")\n .loginProcessingUrl(\"\/login\")\n .failureUrl(\"\/authentication\/login?failed\")\n .defaultSuccessUrl(\"\/\")\n .permitAll())\n .headers(\n httpSecurityHeaders -> httpSecurityHeaders.frameOptions(FrameOptionsConfig::disable))\n .logout(Customizer.withDefaults())\n .oneTimeTokenLogin(\n configurer ->\n configurer\n .tokenGenerationSuccessHandler(successHandler)\n .tokenService(customOneTimeTokenService)\n .showDefaultSubmitPage(false)\n .authenticationSuccessHandler(ottLoginsuccessHandler));\n\n return http.build();\n }\n}<\/code><\/pre>\n<\/div>\n\n@EnableWebSecurity<\/code> annotation: enable Spring Security’s web security support and provide the Spring MVC integration.<\/li>\nSecurityFilterChain<\/code> bean to add custom filter in Spring Security Context.<\/li>\n- Configures
authorizeHttpRequests<\/code> defines which URL path should be secured and which should not.<\/li>\n- Configures
formLogin()<\/code> to customize the form based authentication. Configures loginPage()<\/code> for redirecting to \/authentication\/login<\/code> if authentication is required. Configures loginProcessingUrl<\/code> to validate the submitted credentials. failureUrl<\/code> specify the URL to send users if authentication fails.<\/li>\n- Configures
headers()<\/code>. We enable all the default headers except the X-Frame-Options headers.<\/li>\n.logout(Customizer.withDefaults())<\/code> provides logout support using default settings. The default is that accessing the URL “\/logout” will log the user out by invalidating the HTTP Session, cleaning up any rememberMe<\/code> authentication that was configured, clearing the SecurityContextHolder<\/code>, and then redirect to \/login?success<\/code>.<\/li>\n<\/ul>\nEnable One-Time Token Login support and customize it with oneTimeTokenLogin()<\/code> method :
\n– tokenGenerationSuccessHandler<\/code> : Specifies strategy to be used to handle generated one-time tokens. We will create a custom handler that implements OneTimeTokenGenerationSuccessHandler<\/code>.
\n– tokenService<\/code> : Configures the OneTimeTokenService<\/code> used to generate and consume the OneTimeToken<\/code>.
\n– showDefaultSubmitPage(false)<\/code> : disable the default One-Time Token submit page.
\n– authenticationSuccessHandler<\/code> : Specifies the AuthenticationSuccessHandler<\/code> strategy used to handle a successful user authentication. For demo, we redirect user to the home page.<\/p>\nCustom OneTimeTokenGenerationSuccessHandler<\/h3>\n
Next, we need to implement a custom OneTimeTokenGenerationSuccessHandler to deliver the token to the end user.<\/p>\n
\n@Component\npublic class SendLinkOneTimeTokenGenerationSuccessHandler\n implements OneTimeTokenGenerationSuccessHandler {\n\n private final OttEmailService emailService;\n private final FlashMapManager flashMapManager = new SessionFlashMapManager();\n\n public SendLinkOneTimeTokenGenerationSuccessHandler(OttEmailService emailService) {\n this.emailService = emailService;\n }\n\n @Override\n @SneakyThrows\n public void handle(\n HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)\n throws IOException, ServletException {\n UriComponentsBuilder builder =\n UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(request))\n .replacePath(request.getContextPath())\n .replaceQuery(null)\n .fragment(null)\n .path(\"\/ott\/submit\")\n .queryParam(\"token\", oneTimeToken.getTokenValue());\n String link = builder.toUriString();\n CompletableFuture.runAsync(() -> emailService.sendEmail(oneTimeToken.getUsername(), link));\n\n RedirectView redirectView = new RedirectView(\"\/ott\/sent\");\n redirectView.setExposeModelAttributes(false);\n FlashMap flashMap = new FlashMap();\n flashMap.put(\"token\", oneTimeToken.getTokenValue());\n flashMap.put(\"ottSubmitUrl\", link);\n flashMapManager.saveOutputFlashMap(flashMap, request, response);\n redirectView.render(flashMap, request, response);\n }\n}<\/code><\/pre>\n<\/div>\nThis component will do a number of things:<\/p>\n
\n- Generate the magic link containing the one-time token.<\/li>\n
- Call
emailService.sendEmail()<\/code> to send the email to the user with magic link.<\/li>\n- For demo, we redirect user to the
\/ott\/sent<\/code> page.<\/li>\n<\/ul>\nCustom Success Page<\/h3>\n
Create a controller and an HTML template to handle this page. For demo purpose, we forward the token to the custom submit page.<\/p>\n
\n@Controller\n@RequestMapping(\"\/ott\")\npublic class OttController {\n @GetMapping(\"\/sent\")\n public String sent(Model model) {\n return \"ott\/sent\";\n }\n\n @GetMapping(\"\/submit\")\n public String submit(Model model, @RequestParam(\"token\") String token) {\n model.addAttribute(\"token\", token);\n return \"ott\/submit\";\n }\n}<\/code><\/pre>\n<\/div>\nsent.html<\/code><\/strong><\/h4>\n\n<html xmlns_th=\"http:\/\/www.thymeleaf.org\" xmlns_layout=\"http:\/\/www.ultraq.net.nz\/thymeleaf\/layout\"\n layout_decorate=\"~{layout}\">\n <head>\n <title>OTT Sent<\/title>\n <\/head>\n <body>\n <div layout_fragment=\"content\">\n <p>We just sent you an email. Please follow the provided link to log in.<\/p>\n <p>For testing here is the <a th_href=\"${ottSubmitUrl}\">submit link<\/a><\/p>\n <\/div>\n <\/body>\n<\/html><\/code><\/pre>\n<\/div>\nsubmit.html<\/code><\/strong><\/h4>\n\n<body>\n <div layout_fragment=\"content\">\n <div class=\"d-flex flex-wrap mb-4\">\n <h1 class=\"flex-grow-1\">Login OTT<\/h1>\n <\/div>\n <form th_action=\"@{\/login\/ott}\" method=\"post\">\n <div class=\"row mb-3\">\n <label for=\"token\" class=\"form-check-label\">Token<\/label>\n <input type=\"text\" id=\"token\" name=\"token\" th_value=\"${token}\" placeholder=\"Token\" required=\"true\"\n autofocus=\"autofocus\" class=\"form-control\"\/>\n <\/div>\n <button class=\"btn btn-primary\" type=\"submit\">Sign in<\/button>\n <\/form>\n <\/div>\n<\/body><\/code><\/pre>\n<\/div>\nCustom OneTimeTokenService<\/h3>\n
Next, create a custom implementation of OneTimeTokenService<\/code> interface. By customizing it, we can have a custom expire time, adding more info into token, and implement custom token value.<\/p>\n\n@Service\npublic class CustomOneTimeTokenService implements OneTimeTokenService {\n private final Map<String, OneTimeToken> oneTimeTokens = new ConcurrentHashMap<>();\n\n private Clock clock = Clock.systemUTC();\n\n @Override\n @NonNull\n public OneTimeToken generate(GenerateOneTimeTokenRequest request) {\n String token = UUID.randomUUID().toString();\n Instant expiresAt = this.clock.instant().plus(5, ChronoUnit.MINUTES);\n\n OneTimeToken oneTimeToken = new DefaultOneTimeToken(token, request.getUsername(), expiresAt);\n oneTimeTokens.put(token, oneTimeToken);\n\n return oneTimeToken;\n }\n\n @Override\n @Nullable\n public OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken) {\n log.info(\"Consume token: {}\", authenticationToken.getTokenValue());\n OneTimeToken oneTimeToken = oneTimeTokens.remove(authenticationToken.getTokenValue());\n if (oneTimeToken == null || isExpired(oneTimeToken)) {\n return null;\n }\n return oneTimeToken;\n }\n\n private boolean isExpired(OneTimeToken oneTimeToken) {\n return this.clock.instant().isAfter(oneTimeToken.getExpiresAt());\n }\n}<\/code><\/pre>\n<\/div>\nCustomOneTimeTokenService<\/code> class responsible for:<\/p>\n\n- Generating the token and storing it. For demo, we use in memory store.<\/li>\n
- Consuming the token, we validate the token expiration and delete the token from the store.<\/li>\n<\/ul>\n
Retrieving Users<\/h3>\n
Create custom UserDetailsService<\/code> implementation to load user-specific data.<\/p>\n\n@Service\n@AllArgsConstructor\npublic class CustomUserDetailService implements UserDetailsService {\n\n private final UsersContainerClient usersContainerClient;\n\n @Override\n public UserDetails loadUserByUsername(String email) {\n UserRecord user = usersContainerClient.getUserByEmail(email);\n if (user == null) {\n throw new UsernameNotFoundException(\"User not found\");\n }\n\n List<SimpleGrantedAuthority> authorities = new java.util.ArrayList<>();\n authorities.add(new SimpleGrantedAuthority(\"ROLE_USER\"));\n\n if (\"admin@example.com\".equals(user.email())) {\n authorities.add(new SimpleGrantedAuthority(\"ROLE_ADMIN\"));\n }\n\n return new org.springframework.security.core.userdetails.User(\n user.email(), user.password(), authorities);\n }\n}<\/code><\/pre>\n<\/div>\nThe user object is stored and fetched using the UsersContainerClient<\/code> class, which will handle the interaction with GridDB Cloud.<\/p>\n\n@Service\npublic class UsersContainerClient {\n private static final String CONTAINER_NAME = \"Users\";\n private final RestClient restClient;\n private final String baseUrl;\n\n public UsersContainerClient(\n @Value(\"${griddb.base-url}\") String baseUrl,\n @Value(\"${griddb.auth-token}\") String authToken) {\n this.baseUrl = baseUrl;\n this.restClient =\n RestClient.builder()\n .baseUrl(this.baseUrl)\n .defaultHeader(\"Authorization\", \"Basic \" + authToken)\n .defaultHeader(\"Content-Type\", MediaType.APPLICATION_JSON_VALUE)\n .build();\n }\n\n private <T> T post(String uri, Object body, Class<T> responseType) {\n try {\n return restClient.post().uri(uri).body(body).retrieve().body(responseType);\n } catch (GridDbException e) {\n throw e;\n } catch (Exception e) {\n throw new GridDbException(\n \"Failed to execute POST request\", HttpStatusCode.valueOf(500), e.getMessage(), e);\n }\n }\n\n public UserRecord getUserByEmail(String email) {\n String statement =\n String.format(\"SELECT id, email, name, \"password\" FROM Users where email == '%s'\", email);\n return getOneUser(statement);\n }\n\n private UserRecord getOneUser(String statement) {\n String type = \"sql-select\";\n GridDbCloudSQLSelectInput input = new GridDbCloudSQLSelectInput(type, statement);\n var response = post(\"\/sql\", List.of(input), GridDbCloudSQLOutPut[].class);\n log.info(\"Output: {}\", response[0]);\n if (response[0].results().size() == 0) {\n return null;\n }\n UserRecord foundUser = null;\n for (List<String> row : response[0].results()) {\n if (row.size() < 4) {\n break;\n }\n foundUser = new UserRecord(row.get(0), row.get(1), row.get(2), row.get(3));\n }\n log.info(\"Found user: {}\", foundUser);\n return foundUser;\n }\n}\n\nrecord GridDbCloudSQLSelectInput(String type, @JsonProperty(\"stmt\") String statement) {}\n\nrecord GridDbCloudSQLOutPut(\n @JsonProperty(\"columns\") List<GDCColumnInfo> columns,\n @JsonProperty(\"results\") List<List<String>> results,\n @JsonProperty(\"responseSizeByte\") long responseSizeByte) {}<\/code><\/pre>\n<\/div>\n\n- To communicate with GridDB Cloud via HTTP requests, we create a Spring
RestClient<\/code> instance with HTTP basic authentication.<\/li>\n- We
POST<\/code> the sql-select<\/code> query and convert the response into UserRecord<\/code><\/li>\n<\/ul>\nDemo<\/h3>\n
For demo, we have added demo users (admin@example.com, user@example.com<\/code>) on application startup. Full code can be access on Github<\/a>.<\/p>\n
- \n
- Is the token valid? (Does it match one we generated?)<\/li>\n
- Has it expired? (One-time tokens have a short lifespan for security)<\/li>\n
- Has it already been used? (Remember, it’s one-time use only!)<\/li>\n<\/ul>\n<\/li>\n
- If everything checks out, you’re logged in. The web application establishes a session for you.<\/li>\n<\/ol>\n
Let\u2019s Build This Thing!<\/h2>\n
Maven<\/h3>\n
To enable the One-Time Token feature, we need to include the
spring-boot-starter-security<\/code> andspring-boot-starter-web<\/code> dependencies.<\/p>\n\n<dependencies>\n <dependency>\n <groupId>org.springframework.boot<\/groupId>\n <artifactId>spring-boot-starter-web<\/artifactId>\n <\/dependency>\n <dependency>\n <groupId>org.springframework.boot<\/groupId>\n <artifactId>spring-boot-starter-security<\/artifactId>\n <\/dependency>\n<\/dependencies><\/code><\/pre>\n<\/div>\nSpring Security Configuration<\/h3>\n
Next, we configure the Spring Security and enable the form-login and One-Time Token Login:<\/p>\n
\n@Configuration\n@EnableWebSecurity\npublic class SecurityConfig {\n\n @Bean\n public SecurityFilterChain securityFilterChain(\n HttpSecurity http,\n SendLinkOneTimeTokenGenerationSuccessHandler successHandler,\n CustomOneTimeTokenService customOneTimeTokenService)\n throws Exception {\n AuthenticationSuccessHandler ottLoginsuccessHandler =\n (request, response, authentication) -> response.sendRedirect(\"\/\");\n\n http.csrf(Customizer.withDefaults())\n .authorizeHttpRequests(\n authorize ->\n authorize\n .requestMatchers(\"\/error\", \"\/\", \"\/images\/**\", \"\/js\/*.js\", \"\/css\/*.css\")\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/authentication\/login\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/logout\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/webjars\/**\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/ott\/sent\"))\n .permitAll()\n .requestMatchers(new AntPathRequestMatcher(\"\/ott\/submit\"))\n .permitAll()\n .anyRequest()\n .authenticated())\n .formLogin(\n form ->\n form.loginPage(\"\/authentication\/login\")\n .loginProcessingUrl(\"\/login\")\n .failureUrl(\"\/authentication\/login?failed\")\n .defaultSuccessUrl(\"\/\")\n .permitAll())\n .headers(\n httpSecurityHeaders -> httpSecurityHeaders.frameOptions(FrameOptionsConfig::disable))\n .logout(Customizer.withDefaults())\n .oneTimeTokenLogin(\n configurer ->\n configurer\n .tokenGenerationSuccessHandler(successHandler)\n .tokenService(customOneTimeTokenService)\n .showDefaultSubmitPage(false)\n .authenticationSuccessHandler(ottLoginsuccessHandler));\n\n return http.build();\n }\n}<\/code><\/pre>\n<\/div>\n- \n
@EnableWebSecurity<\/code> annotation: enable Spring Security’s web security support and provide the Spring MVC integration.<\/li>\nSecurityFilterChain<\/code> bean to add custom filter in Spring Security Context.<\/li>\n- Configures
authorizeHttpRequests<\/code> defines which URL path should be secured and which should not.<\/li>\n- Configures
formLogin()<\/code> to customize the form based authentication. ConfiguresloginPage()<\/code> for redirecting to\/authentication\/login<\/code> if authentication is required. ConfiguresloginProcessingUrl<\/code> to validate the submitted credentials.failureUrl<\/code> specify the URL to send users if authentication fails.<\/li>\n- Configures
headers()<\/code>. We enable all the default headers except the X-Frame-Options headers.<\/li>\n.logout(Customizer.withDefaults())<\/code> provides logout support using default settings. The default is that accessing the URL “\/logout” will log the user out by invalidating the HTTP Session, cleaning up anyrememberMe<\/code> authentication that was configured, clearing theSecurityContextHolder<\/code>, and then redirect to\/login?success<\/code>.<\/li>\n<\/ul>\nEnable One-Time Token Login support and customize it with
oneTimeTokenLogin()<\/code> method :
\n–tokenGenerationSuccessHandler<\/code> : Specifies strategy to be used to handle generated one-time tokens. We will create a custom handler that implementsOneTimeTokenGenerationSuccessHandler<\/code>.
\n–tokenService<\/code> : Configures theOneTimeTokenService<\/code> used to generate and consume theOneTimeToken<\/code>.
\n–showDefaultSubmitPage(false)<\/code> : disable the default One-Time Token submit page.
\n–authenticationSuccessHandler<\/code> : Specifies theAuthenticationSuccessHandler<\/code> strategy used to handle a successful user authentication. For demo, we redirect user to the home page.<\/p>\nCustom OneTimeTokenGenerationSuccessHandler<\/h3>\n
Next, we need to implement a custom OneTimeTokenGenerationSuccessHandler to deliver the token to the end user.<\/p>\n
\n@Component\npublic class SendLinkOneTimeTokenGenerationSuccessHandler\n implements OneTimeTokenGenerationSuccessHandler {\n\n private final OttEmailService emailService;\n private final FlashMapManager flashMapManager = new SessionFlashMapManager();\n\n public SendLinkOneTimeTokenGenerationSuccessHandler(OttEmailService emailService) {\n this.emailService = emailService;\n }\n\n @Override\n @SneakyThrows\n public void handle(\n HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)\n throws IOException, ServletException {\n UriComponentsBuilder builder =\n UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(request))\n .replacePath(request.getContextPath())\n .replaceQuery(null)\n .fragment(null)\n .path(\"\/ott\/submit\")\n .queryParam(\"token\", oneTimeToken.getTokenValue());\n String link = builder.toUriString();\n CompletableFuture.runAsync(() -> emailService.sendEmail(oneTimeToken.getUsername(), link));\n\n RedirectView redirectView = new RedirectView(\"\/ott\/sent\");\n redirectView.setExposeModelAttributes(false);\n FlashMap flashMap = new FlashMap();\n flashMap.put(\"token\", oneTimeToken.getTokenValue());\n flashMap.put(\"ottSubmitUrl\", link);\n flashMapManager.saveOutputFlashMap(flashMap, request, response);\n redirectView.render(flashMap, request, response);\n }\n}<\/code><\/pre>\n<\/div>\nThis component will do a number of things:<\/p>\n
- \n
- Generate the magic link containing the one-time token.<\/li>\n
- Call
emailService.sendEmail()<\/code> to send the email to the user with magic link.<\/li>\n- For demo, we redirect user to the
\/ott\/sent<\/code> page.<\/li>\n<\/ul>\nCustom Success Page<\/h3>\n
Create a controller and an HTML template to handle this page. For demo purpose, we forward the token to the custom submit page.<\/p>\n
\n@Controller\n@RequestMapping(\"\/ott\")\npublic class OttController {\n @GetMapping(\"\/sent\")\n public String sent(Model model) {\n return \"ott\/sent\";\n }\n\n @GetMapping(\"\/submit\")\n public String submit(Model model, @RequestParam(\"token\") String token) {\n model.addAttribute(\"token\", token);\n return \"ott\/submit\";\n }\n}<\/code><\/pre>\n<\/div>\nsent.html<\/code><\/strong><\/h4>\n\n<html xmlns_th=\"http:\/\/www.thymeleaf.org\" xmlns_layout=\"http:\/\/www.ultraq.net.nz\/thymeleaf\/layout\"\n layout_decorate=\"~{layout}\">\n <head>\n <title>OTT Sent<\/title>\n <\/head>\n <body>\n <div layout_fragment=\"content\">\n <p>We just sent you an email. Please follow the provided link to log in.<\/p>\n <p>For testing here is the <a th_href=\"${ottSubmitUrl}\">submit link<\/a><\/p>\n <\/div>\n <\/body>\n<\/html><\/code><\/pre>\n<\/div>\nsubmit.html<\/code><\/strong><\/h4>\n\n<body>\n <div layout_fragment=\"content\">\n <div class=\"d-flex flex-wrap mb-4\">\n <h1 class=\"flex-grow-1\">Login OTT<\/h1>\n <\/div>\n <form th_action=\"@{\/login\/ott}\" method=\"post\">\n <div class=\"row mb-3\">\n <label for=\"token\" class=\"form-check-label\">Token<\/label>\n <input type=\"text\" id=\"token\" name=\"token\" th_value=\"${token}\" placeholder=\"Token\" required=\"true\"\n autofocus=\"autofocus\" class=\"form-control\"\/>\n <\/div>\n <button class=\"btn btn-primary\" type=\"submit\">Sign in<\/button>\n <\/form>\n <\/div>\n<\/body><\/code><\/pre>\n<\/div>\nCustom OneTimeTokenService<\/h3>\n
Next, create a custom implementation of
OneTimeTokenService<\/code> interface. By customizing it, we can have a custom expire time, adding more info into token, and implement custom token value.<\/p>\n\n@Service\npublic class CustomOneTimeTokenService implements OneTimeTokenService {\n private final Map<String, OneTimeToken> oneTimeTokens = new ConcurrentHashMap<>();\n\n private Clock clock = Clock.systemUTC();\n\n @Override\n @NonNull\n public OneTimeToken generate(GenerateOneTimeTokenRequest request) {\n String token = UUID.randomUUID().toString();\n Instant expiresAt = this.clock.instant().plus(5, ChronoUnit.MINUTES);\n\n OneTimeToken oneTimeToken = new DefaultOneTimeToken(token, request.getUsername(), expiresAt);\n oneTimeTokens.put(token, oneTimeToken);\n\n return oneTimeToken;\n }\n\n @Override\n @Nullable\n public OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken) {\n log.info(\"Consume token: {}\", authenticationToken.getTokenValue());\n OneTimeToken oneTimeToken = oneTimeTokens.remove(authenticationToken.getTokenValue());\n if (oneTimeToken == null || isExpired(oneTimeToken)) {\n return null;\n }\n return oneTimeToken;\n }\n\n private boolean isExpired(OneTimeToken oneTimeToken) {\n return this.clock.instant().isAfter(oneTimeToken.getExpiresAt());\n }\n}<\/code><\/pre>\n<\/div>\nCustomOneTimeTokenService<\/code> class responsible for:<\/p>\n- \n
- Generating the token and storing it. For demo, we use in memory store.<\/li>\n
- Consuming the token, we validate the token expiration and delete the token from the store.<\/li>\n<\/ul>\n
Retrieving Users<\/h3>\n
Create custom
UserDetailsService<\/code> implementation to load user-specific data.<\/p>\n\n@Service\n@AllArgsConstructor\npublic class CustomUserDetailService implements UserDetailsService {\n\n private final UsersContainerClient usersContainerClient;\n\n @Override\n public UserDetails loadUserByUsername(String email) {\n UserRecord user = usersContainerClient.getUserByEmail(email);\n if (user == null) {\n throw new UsernameNotFoundException(\"User not found\");\n }\n\n List<SimpleGrantedAuthority> authorities = new java.util.ArrayList<>();\n authorities.add(new SimpleGrantedAuthority(\"ROLE_USER\"));\n\n if (\"admin@example.com\".equals(user.email())) {\n authorities.add(new SimpleGrantedAuthority(\"ROLE_ADMIN\"));\n }\n\n return new org.springframework.security.core.userdetails.User(\n user.email(), user.password(), authorities);\n }\n}<\/code><\/pre>\n<\/div>\nThe user object is stored and fetched using the
UsersContainerClient<\/code> class, which will handle the interaction with GridDB Cloud.<\/p>\n\n@Service\npublic class UsersContainerClient {\n private static final String CONTAINER_NAME = \"Users\";\n private final RestClient restClient;\n private final String baseUrl;\n\n public UsersContainerClient(\n @Value(\"${griddb.base-url}\") String baseUrl,\n @Value(\"${griddb.auth-token}\") String authToken) {\n this.baseUrl = baseUrl;\n this.restClient =\n RestClient.builder()\n .baseUrl(this.baseUrl)\n .defaultHeader(\"Authorization\", \"Basic \" + authToken)\n .defaultHeader(\"Content-Type\", MediaType.APPLICATION_JSON_VALUE)\n .build();\n }\n\n private <T> T post(String uri, Object body, Class<T> responseType) {\n try {\n return restClient.post().uri(uri).body(body).retrieve().body(responseType);\n } catch (GridDbException e) {\n throw e;\n } catch (Exception e) {\n throw new GridDbException(\n \"Failed to execute POST request\", HttpStatusCode.valueOf(500), e.getMessage(), e);\n }\n }\n\n public UserRecord getUserByEmail(String email) {\n String statement =\n String.format(\"SELECT id, email, name, \"password\" FROM Users where email == '%s'\", email);\n return getOneUser(statement);\n }\n\n private UserRecord getOneUser(String statement) {\n String type = \"sql-select\";\n GridDbCloudSQLSelectInput input = new GridDbCloudSQLSelectInput(type, statement);\n var response = post(\"\/sql\", List.of(input), GridDbCloudSQLOutPut[].class);\n log.info(\"Output: {}\", response[0]);\n if (response[0].results().size() == 0) {\n return null;\n }\n UserRecord foundUser = null;\n for (List<String> row : response[0].results()) {\n if (row.size() < 4) {\n break;\n }\n foundUser = new UserRecord(row.get(0), row.get(1), row.get(2), row.get(3));\n }\n log.info(\"Found user: {}\", foundUser);\n return foundUser;\n }\n}\n\nrecord GridDbCloudSQLSelectInput(String type, @JsonProperty(\"stmt\") String statement) {}\n\nrecord GridDbCloudSQLOutPut(\n @JsonProperty(\"columns\") List<GDCColumnInfo> columns,\n @JsonProperty(\"results\") List<List<String>> results,\n @JsonProperty(\"responseSizeByte\") long responseSizeByte) {}<\/code><\/pre>\n<\/div>\n- \n
- To communicate with GridDB Cloud via HTTP requests, we create a Spring
RestClient<\/code> instance with HTTP basic authentication.<\/li>\n- We
POST<\/code> thesql-select<\/code> query and convert the response intoUserRecord<\/code><\/li>\n<\/ul>\nDemo<\/h3>\n
For demo, we have added demo users (
admin@example.com, user@example.com<\/code>) on application startup. Full code can be access on Github<\/a>.<\/p>\n - We
- To communicate with GridDB Cloud via HTTP requests, we create a Spring
- For demo, we redirect user to the
![\"\"](\"https:\/\/griddb.net\/wp-content\/uploads\/2025\/05\/onetimetokendemo.gif\")
<\/a><\/p>\n