shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alexd92 <>
Subject Multifactor authentication
Date Tue, 16 Feb 2016 21:16:17 GMT

I have been searching this subject for a while but I couldn't find something
very useful. The best resource is here [1], but it is not enough. What I
want to achieve is this: a two factor authentication using static password
(from database) and a OTP password that a user can provide (maybe it gets it
through SMS, it doesn't matter).

I am not sure what is the secure way to do this, but I planning something
like this:
- for the sake of example, lets presume I have 3 pages: login1.jsp,
login2.jsp and mainPage.jsp (which I want to protect using the 2 factor
- make 2 filters, lets say filter1 and filter2;
- eg. URLS: /login1.jsp = anon; /login2.jsp = filter1; /** = filter2

- phase 1: user enters credentials and I try to login the subject using the
JdbcRealm [problem 1]; in case of success put a flag in session, and
redirect to login2.jsp
- phase 2: filter1 permits access only if the flag is set;
- collect the static password from login2.jsp and issue login with it
- if credentials match redirect to mainPage, filter2 permits access only if
user isAuthenticated

The main problem is how to write the filters. I would do something like
- if user and password are ok, then put a flag in session
- filter1 permits acces only if the flag is set
- do a normal login using otp password and authenticate user, filter2
permits access if user is authenticated (I can user a default shiro filter,
like UserFilter).

What confuses me is this: in phase one, when I check user + static password,
if I use subject.login(token) in case of success I get an authenticated
user, but I just need to put a flag in the session, otherwise filter2 will
allow access (and I don't want this yet, it must provide the otp password).
Should I logout afterwards? (sounds dumb). I could just use the
doGetAuthenticaionInfo from JdbcRealm, and I'm perfectly fine, but I'm not
sure if this is the right way.

Any suggestions would be appreciated!


View this message in context:
Sent from the Shiro User mailing list archive at

View raw message