Hi, I'm currently trying to improve the logon processes around my app which uses Shiro with a JDBC realm for password auth. I'm trying to add a forgot-password-process which will e-mail a short-lived reset link. I'm also hoping to add additional MFA options, most importantly:
- Restricting logins for users from specific IP ranges - Requiring an SMS-delivered one-time-password as part of the logon process. I'm sure various folks here must have done this before and was wondering if: - There's any support in Shiro for this kind of flow that I haven't found yet? - If anyone has any pointers on how to do it well with Shiro? - If not, and I implemented this, if there'd be any interest in my submitting appropriate patches back upstream and if so, where the most appropriate place would be to put hooks in the API for it? Regards, Richard
