Thinking out loud here, so others feel free to chime in. As far as OTP goes, some systems use pin + token as a single line. With this case, you _could_ use a UserPasswordToken and have your realm/authenticator check to see if the user has a OTP attribute set or not.
But for the multi form (similar to what google or gihub approach) your idea with the auth filters might be a good approach. You could check for an existing of a role/permission "OTP" (or subject attribute) from a filter, and then redirect to your other login page. Needing to force the subject logout is an interesting issue, I cannot think of an easy way around this without overriding a few methods form the SecurityManager. Other thoughts on this? On Thu, Feb 18, 2016 at 2:42 AM, alexd92 <[email protected]> wrote: > For the moment I'm thinking at the following solution:-use two filters, f1 > and f2 and 2 realms (r1 and r2)-protect the urls: /login1 = anon, /login2 = > f1, /** = f2-f1 = org.apache.shiro.web.filter.authc.UserFilter-f2 = { > custom > filter which permits access if user has 2 principals in session }-r1 = > could > be JdbcRealm-r2 = custom realm which adds two principals in session > Short:- first login is annoymous, anyone could enter credentials- in case > of > succes it is redirected to second login page, where it has access only if > it > is authenticated (using r1)- if login2 succeeds it is redirected to main > page, and has access only if it passes the second filter, f2 (which it > will, > if the login2 succeeded). > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Multifactor-authentication-tp7580952p7580953.html > Sent from the Shiro User mailing list archive at Nabble.com. >
