For the moment I'm thinking at the following solution:-use two filters, f1
and f2 and 2 realms (r1 and r2)-protect the urls: /login1 = anon, /login2 =
f1, /** = f2-f1 = org.apache.shiro.web.filter.authc.UserFilter-f2 = { custom
filter which permits access if user has 2 principals in session }-r1 = could
be JdbcRealm-r2 = custom realm which adds two principals in session
Short:- first login is annoymous, anyone could enter credentials- in case of
succes it is redirected to second login page, where it has access only if it
is authenticated (using r1)- if login2 succeeds it is redirected to main
page, and has access only if it passes the second filter, f2 (which it will,
if the login2 succeeded).-- View this message in context: http://shiro-user.582556.n2.nabble.com/Multifactor-authentication-tp7580952p7580953.html Sent from the Shiro User mailing list archive at Nabble.com.
