Interesting idea… Can the 8-digit code be entered in a separate field? And be used by a subclass of UsernamePasswordToken class?
> On Mar 13, 2025, at 12:26 AM, Andreas Reichel > <[email protected]> wrote: > > Greetings! > > We did a small thing and thought it may be of interest to a broader audience. > One of our clients insisted in additional security using a second factor > authorization, using ENTRUST. > > ENTRUST application would run on the users phone and generate a One Time > Token (8 digits), valid for 30 seconds. > > When authenticating with username and password, this token must be passed and > verified. Else authentication shall be denied. > ActiveDirectory and JDBC Realms are in use. > > To make this happen, we have implemented a `TokenAware` interface, which the > common realms can implement. It takes care of the 2FA part and I have the > examples attached. > > 1) in the shiro.ini change the ActiveDirectoryRealm into > TokenAwareActiveDirectoryRealm > > 2) then set the properties tokenRegex, soapUrl, soapUser, soapPass, soapWs > > # define the 2FA Token as 8 trailing digits > realm.tokenRegex = (.+)(\d{8})$ > > realm.soapUrl = https://172.20.236.28:7851/entrust2/service > realm.soapUser = .... > realm.soapPass = .... > realm.soapWs = http://ws.waei.uba.com/ > > > 3) then the User will need to append the 8 digit Entrust Token to the regular > password, e.g. > > username: [email protected] > <mailto:[email protected]> > password: MySecret25 > > would become > > username: [email protected] > <mailto:[email protected]> > password: MySecret2543218765 > > (With "43218765" obtained from the Entrust App, which will be valid one time > and for 30 seconds only.) > > This works like a charm for us and has the advantage, that in can be switched > on/off just by changing the realm and works with existing Forms and Dialogs > (not depending on an extra pop-up or Token field). > > The Code is attached, please do let me know what you think and if there is > any interest to commit this into the project. > > All the best and cheers > Andreas > > > <TokenAware.java><TokenAwareMJdbcRealm.java><TokenAwareLdapRealm.java><TokenAwareActiveDirectoryRealm.java>
