春季安全 4 2FA [英] Spring Security 4 2FA

问题描述

所以我试图保护我使用 spring mvc 和安全性构建的 Web 应用程序.我目前拥有来自正常自定义登录页面的基本用户名和密码，该页面使用自定义身份验证提供程序来提供针对数据库验证的填充身份验证对象.我想知道的是如何实现使用 TOTP 的第二阶段登录?我可以让 TOTP 发布和验证工作，但我不确定如何修改 Spring Security 以通过在我指定的登录页面以外的页面上提交令牌的表单来接受对授权的更改.

so I am trying to secure a web application that I built using spring mvc and security. I currently have the basic username and password from a normal custom login page working using a custom authentication provider to provide the populated authentication object that is verified against a database. What I am wondering is how do I implement a second phase of logging in that uses TOTP? I can get the the TOTP issuing and verification to work, but am unsure how to modify spring security to accept a change to authorization via a form submission of the token on a page other then the login page I've specified.

推荐答案

所以基本上我最终做的是使用 authy api(http://docs.authy.com/) 进行 TOTP 交付和验证.初始登录后，我授予他们 ROLE_PRE_AUTH，然后将他们发送到受保护的页面以处理 TOTP.然后我用

So basically what I ended up doing was using the authy api(http://docs.authy.com/) to do the TOTP delivery and verification. After the initial login I grant them ROLE_PRE_AUTH and then send them to a protected page to process the TOTP. I then used

        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(auth.getAuthorities());
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        Authentication newAuth = new UsernamePasswordAuthenticationToken(auth.getPrincipal(), auth.getCredentials(), authorities);
        SecurityContextHolder.getContext().setAuthentication(newAuth);

在我确认用户拥有有效的 TOTP 后更新用户的角色.

to update the roles for the user once I verified that they had a valid TOTP.

这篇关于春季安全 4 2FA的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！