Hello, I have been searching this subject for a while but I couldn't find something very useful. The best resource is here [1], but it is not enough. What I want to achieve is this: a two factor authentication using static password (from database) and a OTP password that a user can provide (maybe it gets it through SMS, it doesn't matter).
I am not sure what is the secure way to do this, but I planning something like this: - for the sake of example, lets presume I have 3 pages: login1.jsp, login2.jsp and mainPage.jsp (which I want to protect using the 2 factor authentication) - make 2 filters, lets say filter1 and filter2; - eg. URLS: /login1.jsp = anon; /login2.jsp = filter1; /** = filter2 - phase 1: user enters credentials and I try to login the subject using the JdbcRealm [problem 1]; in case of success put a flag in session, and redirect to login2.jsp - phase 2: filter1 permits access only if the flag is set; - collect the static password from login2.jsp and issue login with it - if credentials match redirect to mainPage, filter2 permits access only if user isAuthenticated The main problem is how to write the filters. I would do something like this: - if user and password are ok, then put a flag in session - filter1 permits acces only if the flag is set - do a normal login using otp password and authenticate user, filter2 permits access if user is authenticated (I can user a default shiro filter, like UserFilter). What confuses me is this: in phase one, when I check user + static password, if I use subject.login(token) in case of success I get an authenticated user, but I just need to put a flag in the session, otherwise filter2 will allow access (and I don't want this yet, it must provide the otp password). Should I logout afterwards? (sounds dumb). I could just use the doGetAuthenticaionInfo from JdbcRealm, and I'm perfectly fine, but I'm not sure if this is the right way. Any suggestions would be appreciated! [1] http://shiro-user.582556.n2.nabble.com/Multi-stage-or-OTP-sms-factor-td7580272.html -- View this message in context: http://shiro-user.582556.n2.nabble.com/Multifactor-authentication-tp7580952.html Sent from the Shiro User mailing list archive at Nabble.com.
