Announcement Announcement Module
No announcement yet.
Implementing multistep authentication process Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Implementing multistep authentication process


    It's the first time I'm learning the Spring Security and trying to find out if the Spring Security will help to solve my problem.
    I've just started to read the book about the Spring Security but I have to estimate my work ASAP, so I'm here.

    I'm going to secure the web application and my user has several ways to sign in. I used to name them "authentication methods". One of them refers to user's own one-time passwords list, another one implements the "challenge-response" scheme using the user's own security device, etc. However there is a simple "username-password" scheme too.
    The common flow consist of three steps:
    1. user provides his name (or another id); I check for available authentication methods and list them to the user;
    2. user selects some auth method; I provide additional info to user (e.g. challenge for the challenge-response scheme);
    3. user provides the password/response; I check it against the selected authentication method.

    The old solution doesn't use any spring solutions. It controls the flow described above and manages user sessions itself.
    So the question is: "Which part of my application logic can be replaced with the Spring Security?"


  • #2
    You could use Spring Security along with Spring Webflow to implement this. We do something very similar on our platform. The beauty of using Webflow along with Spring Security is that you can easily implement different application flows for the different authentication mechanisms. For example if the user selects two factor authentication you may want to give him the option to provision a new token and when he's done take him back to the original login screen.

    Of course you don't have to use Webflow, you could just use regular Spring MVC but in my experience "simple" authentication workflows usually end up being a little more complex when you consider all the edge cases.

    One thing you'll soon learn about Spring Security (and Spring in general) is that it's very flexible so you can almost always adapt it to your own scenario.

    Good luck!