shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alexd92 <ditu.alexan...@gmail.com>
Subject Multifactor authentication
Date Tue, 16 Feb 2016 21:16:17 GMT
Hello,

I have been searching this subject for a while but I couldn't find something
very useful. The best resource is here [1], but it is not enough. What I
want to achieve is this: a two factor authentication using static password
(from database) and a OTP password that a user can provide (maybe it gets it
through SMS, it doesn't matter).

I am not sure what is the secure way to do this, but I planning something
like this:
- for the sake of example, lets presume I have 3 pages: login1.jsp,
login2.jsp and mainPage.jsp (which I want to protect using the 2 factor
authentication)
- make 2 filters, lets say filter1 and filter2;
- eg. URLS: /login1.jsp = anon; /login2.jsp = filter1; /** = filter2

- phase 1: user enters credentials and I try to login the subject using the
JdbcRealm [problem 1]; in case of success put a flag in session, and
redirect to login2.jsp
- phase 2: filter1 permits access only if the flag is set;
- collect the static password from login2.jsp and issue login with it
- if credentials match redirect to mainPage, filter2 permits access only if
user isAuthenticated

The main problem is how to write the filters. I would do something like
this:
- if user and password are ok, then put a flag in session
- filter1 permits acces only if the flag is set
- do a normal login using otp password and authenticate user, filter2
permits access if user is authenticated (I can user a default shiro filter,
like UserFilter).

What confuses me is this: in phase one, when I check user + static password,
if I use subject.login(token) in case of success I get an authenticated
user, but I just need to put a flag in the session, otherwise filter2 will
allow access (and I don't want this yet, it must provide the otp password).
Should I logout afterwards? (sounds dumb). I could just use the
doGetAuthenticaionInfo from JdbcRealm, and I'm perfectly fine, but I'm not
sure if this is the right way.

Any suggestions would be appreciated!

[1]
http://shiro-user.582556.n2.nabble.com/Multi-stage-or-OTP-sms-factor-td7580272.html



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Multifactor-authentication-tp7580952.html
Sent from the Shiro User mailing list archive at Nabble.com.

Mime
View raw message