Thanks to you both for the advice. If I get something useful done I'll send you a request. I'll also take another look at StormPath,
Richard From: Lenny Primak [mailto:[email protected]] Sent: Friday, July 29, 2016 5:27 PM To: [email protected] Subject: Re: Shiro and OTP / MFA Also, Stormpath supports this out of the box On Jul 29, 2016, at 9:00 AM, Brian Demers <[email protected]<mailto:[email protected]>> wrote: Some of this is tricky because it requires a bit of UI (which you don't get out of the box with Shiro) And for password request, not all realms would support resetting passwords (for example some would require navigating to a different service, others the connection Shiro knows about is read only) Restricting logins should be possible, any realm that uses a 'UsernamePasswordToken' has access to the servletRequest.remoteHost via the 'getHost()' method. Anything that fits in Shiro itself would be welcome, send us a pull request! I know Sonatype's Nexus<https://github.com/sonatype/nexus-public>[1], and a few other projects have password reset support, you could start there. [1]https://github.com/sonatype/nexus-public
