Do you need the rememberMe functionality in addition to the two-factor authentication? If not, the first filter could easily make the user remembered and the second one authenticated. Or you could use a generic role to mark that the user needs or have completed the second phase authentication.
Kalle On Thu, Feb 18, 2016 at 8:50 AM, Brian Demers <[email protected]> wrote: > Thinking out loud here, so others feel free to chime in. > > As far as OTP goes, some systems use pin + token as a single line. With > this case, you _could_ use a UserPasswordToken and have your > realm/authenticator check to see if the user has a OTP attribute set or not. > > But for the multi form (similar to what google or gihub approach) your > idea with the auth filters might be a good approach. You could check for > an existing of a role/permission "OTP" (or subject attribute) from a > filter, and then redirect to your other login page. Needing to force the > subject logout is an interesting issue, I cannot think of an easy way > around this without overriding a few methods form the SecurityManager. > > Other thoughts on this? > > > On Thu, Feb 18, 2016 at 2:42 AM, alexd92 <[email protected]> wrote: > >> For the moment I'm thinking at the following solution:-use two filters, f1 >> and f2 and 2 realms (r1 and r2)-protect the urls: /login1 = anon, /login2 >> = >> f1, /** = f2-f1 = org.apache.shiro.web.filter.authc.UserFilter-f2 = { >> custom >> filter which permits access if user has 2 principals in session }-r1 = >> could >> be JdbcRealm-r2 = custom realm which adds two principals in session >> Short:- first login is annoymous, anyone could enter credentials- in case >> of >> succes it is redirected to second login page, where it has access only if >> it >> is authenticated (using r1)- if login2 succeeds it is redirected to main >> page, and has access only if it passes the second filter, f2 (which it >> will, >> if the login2 succeeded). >> >> >> >> -- >> View this message in context: >> http://shiro-user.582556.n2.nabble.com/Multifactor-authentication-tp7580952p7580953.html >> Sent from the Shiro User mailing list archive at Nabble.com. >> > >
